[squeak-dev] Re: WebClient with proxy NTLM authentication

Andreas Raab andreas.raab at gmx.de
Fri Sep 17 05:15:50 UTC 2010 

Hi Denis -

I gave it a quick shot and found that the interface is pretty trivial to 
implement via FFI. As a consequence I've added a WebClientSSP which 
provides support for NTLM authentication via Microsoft SSP through an 
FFI interface. To install it you need:

1) The (latest version of) the FFI:

(Installer repository: 'http://source.squeak.org/FFI')
	install: 'FFI-Pools';
	install: 'FFI-Kernel';
	install: 'FFI-Tests'.

2) The WebClient-SSP package:

(Installer repository: 'http://squeaksource.com/WebClient')
	install: 'WebClient-SSP'.

Once installed you should be able to use WebClientSSP with NTLM auth for 
both proxy and regular authentication. Do note that I might change the 
implementation entirely; I've added WebClientSSP as a subclass so that 
it can be loaded and unloaded easily and doesn't affect the core 
implementation of WebClient.

WARNING: I have only tested this very rudimentary. In *theory* 
WebClientSSP should support NTLM and Kerberos authentication with full 
SSO (i.e., if you're attached to a domain you should be able to 
authenticate without ever being asked for credentials) but I don't have 
the ability to test this from home so my only test was against 
sharepointspace.com which provides NTLM auth only. In other words 
there's a lot of stuff that hasn't been tested yet, including NTLM proxy 
auth, any kind of Negotiate/SPNEGO auth, SSO etc. In short, your mileage 
may vary greatly but testing and feedback are obviously welcome.

Cheers,
   - Andreas

On 9/16/2010 12:03 PM, Denis Kudriashov wrote:
> Thank you, Andreas for response.
>
> I really prefer 1) option. I hate C stuff.
> I examine VW code for NTLM and It's not really difficult.
>
> And maybe I can use CurlPlugin for that. It's will be more simple
> solution for me
>
> 2010/9/16 Andreas Raab <andreas.raab at gmx.de <mailto:andreas.raab at gmx.de>>
>
>     On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
>
>         Is WebClient supports proxy NTLM authentication?
>
>
>     It doesn't.
>
>
>         If not Can you advise me how two implement it?
>
>
>     You have basically two options:
>     1) Implement it from scratch. There are a number of resources that
>     describe NTLM in detail (basically reverse-engineered since there's
>     no official documentation), for example:
>
>     http://www.innovation.ch/personal/ronald/ntlm.html
>
>     2) Implement it via a plugin using the Microsoft SSP interface. Your
>     starting point would be here:
>
>     http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx
>
>     FWIW, we went for option #2 in our products; the authentication part
>     is tricky (lots of details) but straightforward in principle (i.e.,
>     you basically call InitializeSecurityContext twice and are done).
>
>     Cheers,
>       - Andreas
>
>
>
>
>

More information about the Squeak-dev mailing list