NTLMV2 not working in android webview
Reported by
avikraga...@gmail.com,
Apr 9 2018
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Use any browser in android that uses webview from version 65. 2. Browse a website that needs NTLMV2 authentication only. 3. Provide the credentials. What is the expected behavior? Website should authenticate successfully using NTLMV2. What went wrong? Authentication fails. Did this work before? N/A Does this work in other browsers? Yes Chrome version: 65.0.3325.181 Channel: stable OS Version: OS X 10.13.3 Flash Version: As mentioned in this issue: https://bugs.chromium.org/p/chromium/issues/detail?id=22532 NTLMv2 support is added for chrome version 65 and also for webview as chrome is the webview provider in android. Tested on a Android O device with Chrome and a test app using webview with chrome as the webview provider. Authentication works for chrome while it fails for webview. Our investigation result is this: The header sent by chrome is a NTLMv2 header while header sent by webview is a NTLMv1. Below are the headers chrome: length: 588 TlRMTVNTUAADAAAAGAAYAFgAAAAwATABcAAAAAAAAACgAQAABgAGAKABAAASABIApgEAAAAAAABYAAAABYIIAAAAAAAAAAAAn+4GvPFsYn7nAoaQOUXmmwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPeIcbyOTKfO83/BX2zRk2wBAQAAAAAAACGC67ctwNMBgE+vpKmvb68AAAAAAgAQAHgAeAB4AHgAeAB4AEEARAABABgAVABFAFMAVABNAEEAQwBIAEkATgBFADEABAASAHgAeAB4AHgAeAB4AC4AQQBEAAMALABUAGUAcwB0AG0AYQBjAGgAaQBuAGUAMQAuAHgAeAB4AHgAeAB4AC4AQQBEAAUAEgB4AHgAeAB4AHgAeAAuAEEARAAHAAgAIYLrty3A0wEGAAQAAgAAAAoAEABEUKyzfKJTWFP1eirHOmtRCQBEAEgAVABUAFAALwB0AGUAcwB0AG0AYQBjAGgAaQBuAGUAMQAuAHgAeAB4AHgAeAB4AHgALgBjAG8AbQA6ADYANAA0ADMAAAAAAAAAAABhAHYAaQBsAG8AYwBhAGwAaABvAHMAdAA= webview: length: 184 TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAABgAGAHAAAAASABIAdgAAAAAAAABAAAAABYIIAL/dj6LYCP2OAAAAAAAAAAAAAAAAAAAAAE/p0vNau6caS1vW/GVyDh6BWNfCHzC/f2EAdgBpAGwAbwBjAGEAbABoAG8AcwB0AA== NTLMV1 still works fine in webview with version 65.
,
Apr 9 2018
,
Apr 9 2018
It doesn't look like NTLMv2 has been enabled for WebView - the change made in issue 22532 is specific to Chrome and doesn't change the setting in WebView. Using Chrome as the WebView provider doesn't make any difference to this - WebView behaves exactly the same whether it's provided by Chrome or not and you can't assume that features are implemented or enabled in WebView just because Chrome supports them.
,
Apr 10 2018
Based on this document it seems it is enabled for webview http://dev.chromium.org/administrators/policy-list-3#NtlmV2Enabled Is the policy honored in webview? And how is it set?
,
Apr 20 2018
Based on torne's comment it seems it did not get enabled as we expected so we need to follow up on what we need to do to make it work for WebView.
,
Apr 20 2018
Unless there's a good reason why any embedder of content or net would want this turned off, you should probably just enable it by default in content or net, instead of specifically turning it on in the chrome layer, which is not shared by other embedders.
,
Apr 20 2018
That's what this was supposed to do - https://chromium-review.googlesource.com/c/chromium/src/+/885509/3/net/http/http_auth_handler_ntlm_portable.cc So I assume the default value in the HttpAuthPreferences coming from webview disables this.
,
Apr 20 2018
Yes - WebView default-constructs a HttpAuthPreferences and only touches a few of the values, so since HttpAuthPreferences defaults to NTLMv2 being disabled, we don't enable it. The change there only affected the behaviour for clients that pass null. Changing the default in HttpAuthPreferences looks like it should work.
,
Apr 20 2018
OK got it. Thanks.
,
Apr 25 2018
Comment #8: Does this mean that currently we have a way to enable this in the webview from the end users side? Or this has to be enabled somewhere inside the webview code only, which i think would be a fix in the webview in upcoming versions?
,
Apr 25 2018
You can't enable it from your side; the code needs to be fixed.
,
Apr 26 2018
https://chromium-review.googlesource.com/c/chromium/src/+/1030250 After it lands, I'll see which versions it might be possible to merge it to.
,
Apr 30 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/465919ea15d3557c538514e1269e0ba8082e73d4 commit 465919ea15d3557c538514e1269e0ba8082e73d4 Author: Zentaro Kavanagh <zentaro@chromium.org> Date: Mon Apr 30 21:10:24 2018 NTLM: Always default NTLM to NTLMv2. - This fixes that Android WebView did not default to NTLMv2 - This was changed already for all other platforms but it did not take effect on WebView. - Sets the default value of ntlm_v2_enable_ to true in HttpAuthPreferences - Previously the default was changed in flags, but it did not apply when a default HttpAuthPreferences was created, but no flags/features are overriden. BUG= chromium:830542 , chromium:22532 TEST=unittests Change-Id: If660a9b5ab3a23735407468b30ee0f58aff5ce6c Reviewed-on: https://chromium-review.googlesource.com/1030250 Commit-Queue: Zentaro Kavanagh <zentaro@chromium.org> Reviewed-by: Asanka Herath <asanka@chromium.org> Cr-Commit-Position: refs/heads/master@{#554873} [modify] https://crrev.com/465919ea15d3557c538514e1269e0ba8082e73d4/net/http/http_auth_handler_ntlm_portable_unittest.cc [modify] https://crrev.com/465919ea15d3557c538514e1269e0ba8082e73d4/net/http/http_auth_preferences.cc [modify] https://crrev.com/465919ea15d3557c538514e1269e0ba8082e73d4/net/http/http_auth_preferences_unittest.cc
,
May 14 2018
Fixed in 68.
,
May 14 2018
Please add manual verification steps if required for tracking purposes.Thanks
,
Jun 5 2018
Pinging again to get verification steps
,
Jun 5 2018
You need to setup a HTTP server with NTLMv2. Visit the site and enter the credentials. It should succeed. Change the configuration of the server to NTLMv1 and it should fail. There is some additional notes about testing in these 2 documents... https://docs.google.com/document/d/1zC0icDUM2Za7Dpt-KhiiS6xiP0-11YuRfeZx-UMt0r0/edit https://docs.google.com/document/d/1ZXfVEBktC4JEyvUhbMAJsoIIt0kYmQ_R6vYzwAgtt1I/edit
,
Jun 5 2018
Thanks Zentaro . We could not verify the fix on M68 on Shell browser as it displays 401 Unauthorized access . we need the shell browser to support authentication / test app to verify the fix.
,
Jun 5 2018
,
Jun 5 2018
,
Jun 12 2018
avikragarwal@ Can you see latest M68 beta are you still able to verify the issue ?
,
Jun 13 2018
Tested with chrome 67 and chrome beta68 as webview provider and also with webview beta68 against our internal test site that needs NTLMV2 auth only. Chrome 67: Login failed (as expected) Chrome 68 beta: Website logged in successfully after entering credentials. NTLMV2 auth worked. Webview 68 beta: Website logged in successfully after entering credentials. NTLMV2 auth worked. I can confirm that the changes made to fix this issue works as expected in beta 68.
,
Jun 13 2018
Thanks for the confirmation . Marking this as Verified in 68 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by dtapu...@chromium.org
, Apr 9 2018Components: Internals>Network>Auth Mobile>WebView