[jcifs] Tomcat NTLM

Pugsley, Jason Jason.Pugsley at team.telstra.com
Fri Sep 20 10:03:14 EST 2002


Having authentication handled by the servlet container is in my opinion
superior. Tomcat (and other servlet engines) can manage authentication,
single sign-on and role management without your servlet ever needing to know
about it. Servlet filters can also hide some of the complexity, but I don't
think it is the most elegant solution.

I had to create a modified version of catalina.jar so that Tomcat would
recognise NTLM as an authentication method, along with BASIC, Digest etc.
The code changes are trivial (with hindsight of course) and only involves 3
files.

I have some reservations with the current version of jcifs. My own
experience as well as some of Michael's posts lead me to believe that there
may be problems with cached logons/connections between jcifs and the domain
controller.

Having said all that, it's still a beautiful thing to have working. The
Apache people recently released a new stable version 4.1.10 of Tomcat and
with the usual changes everything works. I don't claim to fully understand
the inner workings of tomcat any more than I understand the insides of jcifs
so the work I've done may well contain bugs. The last time I contacted the
tomcat developers list, there wasn't a lot of interest shown. This may just
be because none of them work in Windows based intranets.

The work needed to "patch" tomcat can probably be applied to any servlet
engine. I did Jetty and Resin just for fun :)  Having the owners of the
servlet engines integrate the code would be far better, but I think we
should wait until Michael is comfortable that the code works well and can
"freeze" the interface before proposing that. Keep in mind that NTLM
authentication is not part of the Servlet Specification. Of course that
doesn't stop us petitioning the engine developers to include it :)

Jason.

-----Original Message-----
From: Michael B. Allen [mailto:miallen at eskimo.com]
Sent: Friday, 20 September 2002 4:56 AM
To: Scott, James (JA)
Cc: jcifs at samba.org
Subject: Re: [jcifs] Tomcat NTLM


You're waaaaaay out of date.

That post was about Jason's original instructions. Did you know that we
have since created a Filter to do NTLM Auth? Please look at the relevant
news bullets on our homepage and read the latest NTLM document:

  http://jcifs.samba.org/src/docs/ntlmhttpauth.html



On Thu, 19 Sep 2002 11:56:12 -0500
"Scott, James (JA)" <JAScott3 at dow.com> wrote:

> In response to:
> http://lists.samba.org/pipermail/jcifs/2002-May/002185.html
> ------
> I have successfully gotten the NTLM authentication to work from within my
> code .. Very Sweet! .. Thanks alot for having taken the time to write that
> and share it.
> 
> I have a question regarding the above posting.  I am now trying to make
NTLM
> the default auth for my web app (I am using Tomcat) and I have not been
> successful in getting it to work as such.  In that posting it was stated
> that 
> 	-----------
> 	Copy the supplied  jcifs-0.6.3.jar to
> 	$CATALINA_HOME/server/lib
> 
> 	Overwrite the existing  catalina.jar  in $CATALINA_HOME/server/lib
> 	with the supplied one.
> 	-----------
> I am wondering, in order to make this work with Tomcat do I have to have
> your version of the Catalina.jar ?.. was it altered in some way?
> 
> I altered my web.xml file to contain the login-config information as you
> specified.  I also altered the tomcat-users.xml file to be setup as per
your
> instructions, however, my request.getRemoteUser() is still null.
> 
> Any help would be greatly appreciated.
> 
> Thanks,
> Jim
> 


-- 
A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and more importantly to tasks that have not
yet been conceived. 



More information about the jcifs mailing list