Details
-
Suggestion
-
Resolution: Unresolved
-
Not Evaluated
-
None
-
None
-
Windows
Description
As documented in https://doc.qt.io/qt-6/qauthenticator.html#ntlm-version-2: if the username is not provided when QNetworkAccessManager::authenticationRequired() is emitted, then Qt automatically tries to log in with the current Windows account.
A customer would like the option to prevent this auto-login.
Use-case
The customer would like to query the server to find out if authentication is required, WITHOUT actually performing the authentication.
In most cases, sending a HTTP HEAD request will reply with HTTP code 401 to indicate that authentication is required. However, in the case where the server uses NTLM, then the same request could ultimately be replied with HTTP code 200 when the user isn't actually trying to log in.
Workaround
Providing a dummy username when handling QNetworkAccessManager::authenticationRequired() will prevent the auto-login, as desired. This is rather hacky, though.
Other observations
While auto-login is convenient and probably welcome in many cases, it is inconsistent with the documented behaviour at https://doc.qt.io/qt-6/qnetworkaccessmanager.html#authenticationRequired which says, "To have the request not send credentials you must not call setUser() or setPassword() on the authenticator object. This will result in... AuthenticationRequiredError."
Suggestions
It would be nicer to be able to call something like authenticator->setUseSystemCredentials(false); (name to be decided) instead of authenticator->setUser("fakeUserDontLogin");
Historically, QAuthenticator::useSystemCredentials is true by default, but perhaps it should be (gradually?) changed to false by default. That way, the app could either explicitly provide a username + password, or explicitly tell Qt to try the domain\user credentials.
Attachments
Issue Links
- relates to
-
-
- Reported
-
- resulted from
-
QTBUG-44096 QNetworkAuthenticationManager does not emit authenticationRequired when using NTLM
-
- Closed
-