Forward "authorizaton" HTTP header
DmytroLapshyn opened this issue · comments
Hi,
Looks like the proxy does not forward the "Authorization" HTTP header from the incoming request.
This unfortunately renders the proxy unusable for websites that require authentication and disallow anonymous access :(
Hmm, investigating right now. It might be the proxy implementation we use? Digging further :)
Hi Dmytro, I'm having issues reproducing this problem.
I've made a little test page that sends an HTTP request to a local server:
<html>
<head>
<script>
function bork() {
var request = new XMLHttpRequest();
request.addEventListener('load', function() {
console.log('done');
});
request.open('GET', 'http://localhost:8000');
request.setRequestHeader('Authorization', 'Basic YWxhZGRpbjpvcGVuc2VzYW1l');
request.send();
}
</script>
</head>
<body>
<button onclick="bork()">Do it</button>
</body>
</html>
Then, I built a little server that just prints the list of all headers of any requests that hit the server.
Finally, I opened my HTML page (from above) through an instance of Firefox opened through James (and proxying through James), and clicked the button to make the request.
However, upon inspecting the server, it showed that the request did in fact have the authorization header:
request.headers() = HeaderMap {
<snip>
Uncased {
string: "authorization"
}: [
"Basic YWxhZGRpbjpvcGVuc2VzYW1l"
],
<snip>
}
Are you sure that James is removing the header? Can you create a small project on GitHub that reproduces the issue so I can run locally? Finally, can you give me some information on which platform and browser you are using? That would be 💯 helpful for me to diagnose this issue further :)
Hi Mitchell,
Are you sure that James is removing the header?
I suppose so, as we can see the proper Authorization header when inspecting a request in James GUI, but still we're receiving 401 Unauthorized from the server.
In particular:
Request Query Params:
...
authorization: NTLM TlRMTVNTU..... // Full header contents not shown for security reasons
upgrade-insecure-requests: 1
But in response all we get is
www-authenticate: NTLM
Which makes me ask myself if it could have something to do with NTLM / Kerberos?
I am not sure if a quick repro would be possible though, as we're using SharePoint on the server side and are basically using James to "hot-swap" client-side scripts.
Yeah, I'm pretty baffled by this. Maybe it's something to do with your server-side? Hmm.
Actually, there is something else you can do to narrow this down, if you don't mind:
- Copy this
pythonscript and run it with Python 2. It will run a little HTTP server onlocalhost:8080 - Start James
- From your application, make that same
authorizationrequest, but make it tolocalhost:8080 - The python script will print all the request headers. Let me know if the
authorizationheader is printed by the python server
If the authorization header is not printed, then there's definitely a James bug 😕
If the authorization header is printed, then there's a larger chance that maybe it's something with NTLM/Kerberos. You can compare the output of the little Python server with James running vs. without proxying through James
I had to modify the script like this to make the browser perform authentication:
def do_GET(self):
request_path = self.path
print("\n----- Request Start ----->\n")
print(request_path)
print(self.headers)
print("<----- Request End -----\n")
if self.headers.get('Authorization'):
self.send_response(200)
self.send_header("Set-Cookie", "foo=bar")
self.end_headers()
self.wfile.write("Welcome on board!")
self.wfile.close()
else:
self.send_response(401)
self.send_header("WWW-Authenticate", "Negotiate")
self.end_headers()
self.wfile.write("Unknown user - please authenticate yourself")
self.wfile.close()and I can confirm that the authorization heder is printed. So - looks like this is not a James issue so far. I would suggest closing this issue for now, and I will create a new one if (and should) I have more details.
Thanks so much for all the assistance, appreciate that!
Copy that, thanks!