United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4857110 : NTLM authentication must be transparent for users

Details
Type:
Bug
Submit Date:
2003-05-01
Status:
Resolved
Updated Date:
2003-09-19
Project Name:
JDK
Resolved Date:
2003-08-07
Component:
core-libs
OS:
solaris_8,windows_xp,windows_2000
Sub-Component:
java.net
CPU:
x86,sparc
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.4.1,1.4.2
Fixed Versions:
1.4.2_02 (02)

Related Reports
Backport:
Duplicate:

Sub Tasks

Description
Name: nt126004			Date: 05/01/2003


FULL PRODUCT VERSION :
JDK 1.4.2-beta


FULL OS VERSION :
Microsoft Windows 2000 [Version 5.00.2195]

A DESCRIPTION OF THE PROBLEM :
The bug 4423881 has been finally fixed in JDK 1.4.2
http://developer.java.sun.com/developer/bugParade/bugs/4423881.html

However, the way it's fixed in JDK1.4.2 is not a fix but rather a workaround.
Users are asked to enter NT account information in order to use Plugin-based applets while they really don't have to while browsing regular pages and applets running in the native Microsoft JVM.

JRE has to support NTLM transparently for users. Security context should be taken from the current process and serialized via SSPI.




REPRODUCIBILITY :
This bug can be reproduced always.
(Review ID: 185108) 
======================================================================

                                    

Comments
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.2_02
tiger

FIXED IN:
1.4.2_02
tiger

INTEGRATED IN:
1.4.2_02
tiger
tiger-b22


                                     
2004-09-28
EVALUATION

commit this bug to 1.4.2_02
###@###.### 2003-06-06

1.4.2_02 will be available before end of 2003.

###@###.### 2003-06-09

The fix to this bug involves extracting the current logged
in users credentials from the OS when an NTLM challenge
from a server or proxy occurs. This username/password
is used (without prompting the user ie. not calling the
applications Authenticator). If this attempt fails
(such as if the account is not recognised) then it falls
back to the old mechanism, which involves callng the
Authenticator so that the user can type in a different
username/password.

This bug has been fixed as described above in:
 
1.4.2_02 ==> to be released before end of 2003 

and

1.5.0 ==> to be released in 2004

###@###.### 2003-07-23
                                     
2003-07-23
SUGGESTED FIX

http://jpsesvr.sfbay.sun.com:8080/ctetools/html/ViewDetail.jsp?index=726

###@###.### 2003-07-16
                                     
2003-07-16



Hardware and Software, Engineered to Work Together