[Spring Security][Excel]Hyperlink problem

[jbd69]

Hello,

Here is my problem:
I use Spring-Security for my jee application.
By default, the authentification mecanism redirect the user on the "home", but it's possible to access directly to one screen of the application by its URL.

Everything is working well if you fill the URL in your webbrowser.

BUT, if I have an hyperlink in Excel sheet, with the same URL, I get the login page, and then I'm forward to the "home" whereas I wanted to access my specific screen.

If I open the Excel-sheet with OpenOffice, everything is working well ; as if I were filling the URL in the web-browser.

I think it's a problem specific to Microsoft-Excel.
Maybe it's trying to autenticate using NTLM ?? How to disable NTLM, and force the hyperlink to be 'normal' ?

Here is my configuration :

Code:

<http auto-config="true" access-denied-page="/accessDenied.do">
        <!-- Everybody -->
        <intercept-url pattern="/**.do*" access="ROLE_CUSTOMER,ROLE_ADMIN" />
        
        <intercept-url pattern="/login.do*" filters="none"/>
        <intercept-url pattern="/accessDenied.do*" filters="none"/>       
        <form-login login-page="/login.do" authentication-failure-url="/login.do?login_error=1" default-target-url="/home.do" />
    </http>

<beans:bean id="ldapAuthProvider"
		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
		<beans:constructor-arg ref="authenticator"/>
	    <beans:constructor-arg ref="populator"/>
		<custom-authentication-provider />
	</beans:bean>


<beans:bean id="authenticator" 
		class="com.myapplication.security.BindAuthenticatorImpl">

        <beans:constructor-arg ref="contextSource"/>
	   	<beans:property name="customerPeopleDAO" ref="customerPeopleDAO" />
        <beans:property name="userDnPatterns">
	       <beans:list>
	          <beans:value>uid={0},ou=customer_people</beans:value>
	          <beans:value>uid={0},ou=admin_people</beans:value>
	       </beans:list>
	   	</beans:property>
    </beans:bean>

I also tried by setting the parameter "auto-config" to "false".
At this time, I get the following error : "Impossible to open http://myURL/ " Deadline for connecting to the website exceeded."

Anybody can help me ?

Thanks.

[Bron]

Perhaps you can run your application through a proxy like Paros or use a network capture like Wireshark to see exactly what URL Excel is sending you to.

[jbd69]

Hi,

Sorry for delay...

Here is there capture of Wireshark when click from Excel hyperlink :

Hypertext Transfer Protocol
GET /sivar/redirect.do?id=2961&redirect=viewVRPSearch&custId= 183 HTTP/1.1\r\n
Request Method: GET
Request URI: /sivar/redirect.do?id=2961&redirect=viewVRPSearch&custId= 183
Request Version: HTTP/1.1
Host: 10.69.20.102:8080\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2\Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: fr-fr,fr;q=0.8,en;q=0.5,en-us;q=0.3\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Cookie: locale=fr; JSESSIONID=09199B6CAEF4CEDC92F87377A90D1C4A\r\n
\r\n

The same link paste into Firefox gives the following result :

Hypertext Transfer Protocol
GET /sivar/redirect.do?id=2961&redirect=viewVRPSearch&custId= 183 HTTP/1.1\r\n
Request Method: GET
Request URI: /sivar/redirect.do?id=2961&redirect=viewVRPSearch&custId= 183
Request Version: HTTP/1.1
Accept: */*\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 2.0.50727; .Host: 10.69.20.102:8080\r\n
Connection: Keep-Alive\r\n
Cookie: locale=fr; JSESSIONID=0C0EA27AB30B2ECCDECAB5FBF96F66E8\r\n
\r\n

[Bron]

Is the second capture one that works?

[jbd69]

Yes, the second works.

[Bron]

Wow, this is very strange. I just tried this in one of my applications, and it did the same thing. It forwarded to the home page instead of the page linked to. My app is behind CAS authentication.

I'm using Excel 2002 and FF 3.5. Nothing comes immediately to mind.

[jbd69]

I think I found an explanation (but not the solution) :

- With the browser

1. We enter the URL
2. We get a HTTP 302 with redirection to login page
3. We submit login form
4. We get a HTTP 302 to the URL entered previouly

- With Excel

1. The URL is <tested> by Excel
2. Excel gets the HTTP 302 and open browser with the URL of the login page
3. We submit form
4. We get a HTTP 302 to the default page (home) because browser was directly open on the login page and not on the URL wanted

To reproduce, I tested with an URL not responding, and Excel popup me an alert.
I do the same thing with OpenOffice, and it opens the browser that show me the "page not found".

I would expect that Excel open the navigator with the URL and not the redirection of HTTP 302...
It works perfectly with OpenOffice, but not in Excel...

Just for information, for my tests, I used :

• Excel 2003 & 2007
• OpenOffice 3.1
• Firefox, IE7, Safari 4, Chrome 2
• spring-security 2.0.4

Thanks a lot for your help !!

[jbd69]

Hi,

It's seems to be a behavior made by Microsoft for Office Suite.

One solution is to force opening the browser (see link bellow) :

http://support.microsoft.com/kb/218153/en-us

It's not a good solution for my customers (end-users).

I try to find another way to solve this problem...

[jbd69]

Hi,

I found a solution.

The url of my hyperlink must be NOT secured through <intercept-url>.
(Note : if secured, server response is HTTP-302, and Excel opens the redirection and not the original URL).

I also have a first page not secured that display the message "you will be redirected" and with "onload" attribute on the body, I call the javascript that make the redirection on the secured URL.

The first page is not secured, so the server response is HTTP-200. Excel opens IE to display the page.

Thanks a lot for your help.