Hello,

I'm trying to implement an authmod to do a basic ntlm user authentication. I only extract the domain and username from ntlm packet.

After some testing I can see that no Authorization Header arrives the appmod:


 {arg,#Port<0.219>,
                         {{127,0,0,1},34698},
                         {headers,"keep-alive",
                             "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                             "localhost:8889",undefined,undefined,undefined,
                             undefined,undefined,undefined,undefined,
                             "Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.4) Gecko/2008111318 Ubuntu/8.10 (intrepid) Firefox/3.0.4",
                             undefined,
                             ["userLang=es_ES"],
                             "300",undefined,undefined,undefined,undefined,
                             undefined,undefined,
                             [{http_header,9,'Accept-Charset',undefined,
                                  "ISO-8859-1,utf-8;q=0.7,*;q=0.7"},
                              {http_header,10,'Accept-Encoding',undefined,
                                  "gzip,deflate"},
                              {http_header,11,'Accept-Language',undefined,
                                  "es-es,es;q=0.8,en-us;q=0.5,en;q=0.3"}]},
                         {http_request,'GET',{abs_path,"/"},{1,1}},
                         undefined,undefined,undefined,undefined,
                         "priv/docroot","/",undefined,undefined,undefined,
                         <0.104.0>,[],undefined,undefined,undefined}


But using wireshark I can see the authorization header...

After some search in the code I located the following code:

parse_auth(Orig = "Basic " ++ Auth64) ->
    case decode_base64(Auth64) of
        {error, _Err} ->
            undefined;
        Auth ->
            case string:tokens(Auth, ":") of
                [User, Pass] ->
                    {User, Pass, Orig};
                _ ->
                    undefined
            end
    end;
parse_auth(Orig = "Negotiate " ++ _Auth64) ->
    {undefined, undefined, Orig};
parse_auth(_) ->
    undefined.

It only permits to pass Negotiate and Basic Auth.

I've modified the yaws.erl source code to:

parse_auth(Orig = "Basic " ++ Auth64) ->
    case decode_base64(Auth64) of
        {error, _Err} ->
            undefined;
        Auth ->
            case string:tokens(Auth, ":") of
                [User, Pass] ->
                    {User, Pass, Orig};
                _ ->
                    undefined
            end
    end;
parse_auth(Orig = "Negotiate " ++ _Auth64) ->
    {undefined, undefined, Orig};
parse_auth(Orig = "NTLM " ++ _Auth64) ->
    {undefined,undefined, Orig};
parse_auth(_) ->
    undefined.


My question is if  it would be better to pass the authorization header always ?

parse_auth(Orig = "Basic " ++ Auth64) ->
    case decode_base64(Auth64) of
        {error, _Err} ->
            undefined;
        Auth ->
            case string:tokens(Auth, ":") of
                [User, Pass] ->
                    {User, Pass, Orig};
                _ ->
                    undefined
            end
    end;
parse_auth(Orig) ->
    {undefined,undefined,Orig}.


Regards.