Thursday, March 25, 2010

Integrating failover strategy for Spring Security NTLM

During implementation of the NTLM authentication into our application, I wanted to achieve failover to standard login page (html form) if NTLM authentication fail.

In order to obtain the wanted behavior I extended some Spring Security classes and hack them a little bit, so I created:
  • An AuthenticationEntryPoint strategy to switch between NTLM or standard login
  • A custom AuthenticationProvider to prevent password checking when user authenticate with NTLM
  • A custom NtlmProcessingFilter to disable NTLM authentication if a remember-me cookie is present
The thing I was unable to do is detecting if the user client is NTLM compliant before starting the NTLM challenge. Due to the way the protocol is build (and certainly for security reasons) it's impossible to know if the client is NTLM compliant before launching the challenge.

So let's took the scenario of a Google Chrome user:
  1. A popup (HTTP realm) authentication window is shown to the user
  2. He hit enter with invalid credentials (i.e. empty username/password)
  3. The browser is redirected to the standard html login form
By using 'remember me' the NTLM authentication won't be shown next time the user access the site due to the presence of the cookie.

If the user client is Internet Explorer no authentication window is shown because the navigator use directly the information of the logged user. If the authentication fail, then the standard html login form is displayed letting him login with other credentials.

This implementation was made using Spring Security 2.0.5, but can be easly converted to Spring Security 3.0 using the Spring Security NTLM 3 module I recently created. Don't hesitate to ask me if you want that I publish an updated version.

You can download a sample application including hacked class here:


  1. Could you publish a Spring Security 3 version please? Thank you!

  2. in your applicationcontext.xml the _filterChainProxy is not defined in applicationContext.xml ? cannot be found in your web.xml also. can you explain?

  3. i tried grab and purposely enter wrong username and password during ntlm. i was forwarded to form login. then i enter username :alois.cochard ,password: user , but fail to login the form. is the example working?

  4. i did some testing and found out it work in firefox, but not in internet explorer. is this because of http ntlm header still exist when doing form-post?

  5. @cometta

    Sorry for late response !

    First the '_filterChainProxy' is a bean automatically configured by spring batch. If you search in the spring batch source code there is an enumeration referencing this name.

    I don't understand how did you manage to enter wrong user name and password during Internet Explorer NTLM authentication ?

    In IE the user name and password are took from your windows session (normally a session open on a domain, using NTLM whithout domain is a non sense).

    But that's totally different on Firefox since he can't access user session information, so he prompt for user/password.