[Webkit-unassigned] [Bug 122952] [GTK][WPE] Add NTLM authentication enabled API

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 5 06:20:34 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=122952

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #19 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Brian Holt from comment #0)
> From Dan Winship:
>     There are some arguments against enabling it by default; if you have the
> client-side samba stuff installed, and are logged into a Windows domain,
> then NTLM authentication can happen completely transparently (ie, no
> "authenticate" signal, no password dialog) using the cached credentials, and
> there are attacks against intranets that you could make using that
> functionality if you could hijack someone's http connection... so it's best
> to only have it get used when the app is explicitly expecting it to be used
> (as in evolution).
> 
> Instead we should expose an API in WebKit like
> 
> WEBKIT_API void
> webkit_web_context_set_ntlm_authentication_enabled(WebKitWebContext *context,
>                                                    gboolean         
> enabled);
> 
> that sends a message to the WebProcess (or NetworkProcess), which in turn
> will add the feature to the soup session using
> 
>   soup_session_add_feature_by_type (session, SOUP_TYPE_NTLM_AUTH);

Firefox enables it by default. And if it's not enabled, you cannot access websites that are gated by NTLM auth. For web compat, I think we have to match other browsers.

(In reply to Carlos Garcia Campos from comment #14)
> I've been told that we don't really need this. We already support gssapi,
> and that supports ntlm if the right package is installed. Paul, could you
> confirm it works for you by installing gss-ntlmssp and without the patch?
> What libsoup version are you using, btw?

In Fedora the package is gssntlmssp. I confirmed that installing the package is not enough to make NTLM work on the test page http://ntlm.herokuapp.com/. I use gssapi every day for kerberos auth, and that works fine. So only NTML is not working. Reopening.

(In reply to Paul van Tilburg from comment #18)
> Years have passed and I can confirm that in Ubuntu 18.04 LTS (Bionic) works
> out of the box using the normal authentication callbacks, so this bug report
> can be closed.

I don't know how to explain this. Maybe something broke between then and now.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200905/d1422398/attachment-0001.htm>


More information about the webkit-unassigned mailing list