NTLM Authenentication not working anymore in OutOfBlinkCors

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

NTLM Authenentication not working anymore in OutOfBlinkCors

Postby Toralion » Mon Mar 29, 2021 9:48 am

Hi,

I've a problem, uploading a file to a minio (or S3) repo using cef >86 (js, XMLHttpRequest).

When trying to send the preflight (OPTIONS) request I would expect that typically challenge/response ping pong with the proxy.
What happens is that cef sends exactly one request, the proxy answers with a 407 Proxy Authentication Required and that's it. No second try to connect, no authentication granted.

Doing exactly the same, using a Chrome-Browser or a cef, v86, with --disable-features=OutOfBlinkCors works perfectly.
Of course I tried a cef >86 with disabled proxy... works too.

Are there any new security/cors rules, I've to handle? Am I doing something wrong, or is this indeed a bug in cef?

Thx,
Toralion


Here's the request/response showing some details, recorded with Wireshark:

Request:
---------
OPTIONS http://SOMESERVER:9000/210/root/rep01/7 ... 8e55aaa4f7 HTTP/1.1
Host: SOMESERVER:9000
Proxy-Connection: keep-alive
Accept: */*
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: content-md5,content-type,x-csrf-token
Origin: http://SOMESERVER:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Sec-Fetch-Mode: cors
Referer: http://SOMESERVER:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.4
Mime-Version: 1.0
Date: Mon, 29 Mar 2021 09:41:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 4565
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
Proxy-Authenticate: NTLM
X-Cache: MISS from CentOSNTLMProxy
X-Cache-Lookup: NONE from CentOSNTLMProxy:3128
Via: 1.1 CentOSNTLMProxy (squid/4.4)
Connection: keep-alive
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby Toralion » Mon Apr 12, 2021 9:20 am

After a few days trying to debug the code, we 're still not sure what's exactly the problem.

When using a current Chrome browser, after the first 407 response of the proxy, the authentication challenge is started and HttpAuth::HandleChallengeResponse() is called.

If we do the same with the current CEF, we never reach that method or any other source within chromium which is responsible for the NTLM-authentication-challenge.

Digging deeper in the source:

Here's what we found out so far(Please see attached pdf):

We guess that the problem is, that CorsPreflightRequest class is registered as header_client_ within services/network/URLLoader
and therefore URLLoader::OnBeforeStartTransaction() is cancelled
and in the end blocks URLRequestHttpJob::StartTransactionInternal() from being called,
which seems to be relevant for triggering the authentication challenge (transaction_->RestartWithAuth()).

Are we right with that assumptions?

Could it be, that deleting CorsPreflightRequest is missing somewhere, or is it the InterceptedRequest which is working not correctly?


CEF OutOfBlink Impl.pdf
CEF OutOfBlink Impl.pdf
(131.98 KiB) Downloaded 639 times
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Mon Apr 12, 2021 12:21 pm

You can set |pass_through| to true in ProxyURLLoaderFactory::CreateLoaderAndStart to test if network interception is causing the problem.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby Toralion » Tue Apr 13, 2021 6:56 am

magreenblatt wrote:You can set |pass_through| to true in ProxyURLLoaderFactory::CreateLoaderAndStart to test if network interception is causing the problem.


Hi Marshall,

thx for the fast response. Yes, that does the trick! As soon we set |pass_through| to true, the NTLM authentication works again.

So, to fix that problem for the moment: Do you see any drawbacks / sideeffects if we use CEF with that settings?
We do not need any custom request handling or manipulating in our environment, just simple browser stuff.

Should I create an issue for that problem?

Would it be an idea to make |pass_through| a "real" option?

Thx, for your help,
Toralion
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Tue Apr 13, 2021 8:38 am

Yes, please create an issue. Making pass_through a real option could be helpful (you can mention it as a workaround in the issue). Thanks.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Fri Jun 11, 2021 11:13 am

magreenblatt wrote:Yes, please create an issue. Making pass_through a real option could be helpful (you can mention it as a workaround in the issue). Thanks.

The option has now been added in this commit.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby vinayk » Fri Sep 17, 2021 1:37 am

Hi Marshall,

We are facing a similar issue wherein options(preflight) call is failing in Kerberos Authentication. (https://www.magpcss.org/ceforum/viewtop ... =6&t=18639)

The |pass_through| workaround seems to be fixing the issue, but we can't use the workaround as we need CEF's custom request handling mechanism.

Can you please check this issue and help us with a proper fix. Thanks.
vinayk
Techie
 
Posts: 12
Joined: Thu Feb 13, 2020 7:46 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Fri Sep 17, 2021 1:47 am

An issue was added for this at https://bitbucket.org/chromiumembedded/ ... ot-working. If fixing this is a priority for you I suggest building CEF/Chromium from source code and trying to debug it yourself. A PR to fix it would likely be accepted.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby JasonLP » Mon Oct 04, 2021 3:37 pm

magreenblatt wrote:
magreenblatt wrote:Yes, please create an issue. Making pass_through a real option could be helpful (you can mention it as a workaround in the issue). Thanks.

The option has now been added in this commit.


I posted a question about the dev tools window appearing blank, and found it was related to this.
While the `--disable-request-handling-for-testing` option works for what it does, it also causes the devtools window to be blank. Can you make an exception for the dev tools window as originally mentioned in the issue report here? https://bitbucket.org/chromiumembedded/ ... ot-working

Additional info: To make devtools work, do something like this:
bool pass_through = !request.url.SchemeIs("devtools");
JasonLP
Mentor
 
Posts: 98
Joined: Fri Jul 25, 2014 10:10 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Tue Oct 05, 2021 2:57 am

We should probably only enable pass-thru for HTTP[S] schemes.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Next

Return to Support Forum

Who is online

Users browsing this forum: No registered users and 31 guests