[webkit-gtk] libwebkit2gtk and NTLM authentication

Brian Holt brian.holt at samsung.com
Wed Oct 16 05:40:20 PDT 2013


> >> There can be found: "WEBKIT_AUTHENTICATION_SCHEME_NTLM = 5" from the
> >> WebKitAuthenticationScheme.
> >> However, I can't catch The "authenticate" -signal in case of NTLM.
> It
> >> seems to work fine at least with BASIC and DIGEST -authentications.
> >
> > According to libsoup API docs, NTLM authentication is not enabled by
> > default and the feature should be added to the session explicitly. I
> > don't think we are doing that in WebKit, so I guess we don't support
> > NTLM authentication at the moment.
> >
> > Dan, is this right?
> 
> Yes. You need to do
> 
>   soup_session_add_feature_by_type (session, SOUP_TYPE_NTLM_AUTH);
> 
> There are some arguments against enabling it by default; if you have
> the client-side samba stuff installed, and are logged into a Windows
> domain, then NTLM authentication can happen completely transparently
> (ie, no "authenticate" signal, no password dialog) using the cached
> credentials, and there are attacks against intranets that you could
> make using that functionality if you could hijack someone's http
> connection... so it's best to only have it get used when the app is
> explicitly expecting it to be used (as in evolution).
> 

This is fine if you are building WebKit yourself and are happy to add the line deep inside WebCore (perhaps in ResourceHandleSoup.cpp createSoupSession()), unless there is some way to get hold of the soup session at the API level?  Perhaps we should expose an API in WebKitWebContext that allows NTLM e.g.

WEBKIT_API void
webkit_web_context_set_ntlm_authentication_enabled(WebKitWebContext *context,
                                                   gboolean          enabled);

Regards
Brian




More information about the webkit-gtk mailing list