<filter> <filter-name>NtlmHttpFilter</filter-name> <filter-class>jcifs.http.NtlmHttpFilter</filter-class> <init-param> <param-name>jcifs.smb.client.domain</param-name> <param-value>NYC-USERS</param-value> </init-param> <init-param> <param-name>jcifs.netbios.wins</param-name> <param-value>10.169.10.77,10.169.10.66</param-value> </init-param> </filter> <filter-mapping> <filter-name>NtlmHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>This filter section illustrates the setup for authenticating clients against the domain NYC-USERS. This is suitable for large numbers of concurrent users as jCIFS will cycle through domain controllers and use an alternate WINS server if necessary. The above will authenticate users accessing all content against the domain NYC-USERS. The WINS server 10.169.10.77 will be queried to resolve NYC-USERS to an IP address of a domain controller. If that WINS server is not responding, 10.169.10.66 will be queried.
<filter> <filter-name>NtlmHttpFilter</filter-name> <filter-class>jcifs.http.NtlmHttpFilter</filter-class> <init-param> <param-name>jcifs.http.domainController</param-name> <param-value>192.168.2.15</param-value> </init-param> <init-param> <param-name>jcifs.smb.client.logonShare</param-name> <param-value>JCIFSACL</param-value> </init-param> </filter> <filter-mapping> <filter-name>NtlmHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>This filter section illustrates the setup for authenticating against a JCIFSACL share for testing or a site with a small number of concurrent users (e.g. 1000) Either a jcifs.smb.client.domain or jcifs.smb.client.domainController property is required. This will be suitable to authenticate clients that are members of the specified domain as well as other domains with which it has trusts relationships. Running the NtlmHttpAuthExample.java example should be a suitable test of the Filter.
The significance of the POST test is that after negotiating NTLM HTTP Authentication once, IE will not POST any form data until it has negotiated the password hashes again. If the NTLM HTTP Authentication Filter is not enabled something like the following will be displayed:NTLM HTTP Authentication Example
NYC-USERS\MIALLEN successfully logged inPlease submit some form data using POST
field1 = hello
null successfully logged inNotice the user was permitted access. Unlike this example, developers might add an additional check to make sure getRemoteUser does not return null.
jcifs.smb.client.domain | The NT domain against which clients should be authenticated. Generally it is necessary to also set the jcifs.netbios.wins parameter or a domain controller may not be found. This parameter will be ignored for NTLM HTTP authentication purposes if a jcifs.http.domainController property is specified (although they can be used together for "preauthenctication" as described in the SMB Signatures and Windows 2003 section below). |
jcifs.http.domainController | The IP address of any SMB server that should be used to authenticate HTTP clients with the NtlmHttpFilter class. If this is not specified the jcifs.smb.client.domain 0x1C NetBIOS group name will be queried. If these queries fail an UnknownHostException will be thrown. It is not necessary for this to specify a real domain controller. The IP address of a workstation will do for simple purposes. |
jcifs.http.basicRelm | The realm for basic authentication. This property defaults to 'jCIFS'. |
jcifs.http.enableBasic | Setting this property to true enables basic authentication over HTTPS only. |
jcifs.http.insecureBasic | Setting this property to true enables basic authentication over plain HTTP. This configuration passes user credentials in plain text over the network. It should not be used in environment where security is required. |
jcifs.http.loadBalance | If a jcifs.smb.client.domain property is specified (and domainController is not specified) the NtlmHttpFilter will query for domain controllers by name. If this property is true the Filter will rotate through the list of domain controllers when authenticating users. The default value is true. The jcifs.netbios.lookupRespLimit property can also be used to limit the number of domain controllers used. |
jcifs.http.guestRedirectURL | Setting this to an absolute URL, NtlmHttpFilter will forward failed requests versus challenging with a Network Logon Dialog. Not providing this setting results in the default Network Logon Dialog challenge for failed authentication requests. |
jcifs.netbios.lookupRespLimit | The 0x1C NetBIOS name query returns a list of domain controllers. It is believed that the servers at the top of this list should be favored. This property limits the range of servers returned by name queries. The default value is 5 meaning the top 5 domain controllers will be used. |
jcifs.netbios.wins | The IP address of the WINS server. This is required when accessing hosts on different subnets (like a domain controller by name) and it is highly recommended if a wins server is available. |
jcifs.smb.client.laddr | The ip address of the local interface the client should bind to if it is different from the default. For example if jCIFS is used to authenticate clients on one interface and the domain controller for those clients is accessible only on another interface of a webserver with two NICs it may be necessary to specify which interface jCIFS should use. |
jcifs.netbios.laddr | The ip address of the local interface the client should bind to for name queries if it is different from the default. Likely set to the same as the above property. |
jcifs.smb.client.attrExpirationPeriod |
Attributes of a file are cached for attrExpirationPeriod milliseconds. The default is 5000 but the NetworkExplorer servlet will attempt to set this property to 120000. Otherwise, when listing large directories, the attributes of SmbFiles may expire within the default period resulting in a large number of additional network messages and severe performance degradation.
|
jcifs.smb.client.soTimeout | To prevent the client from holding server resources unnecessarily, sockets are closed after this time period if there is no activity. This time is specified in milliseconds. The default is 15000 however when NTLM HTTP Authentication is used, the NtlmHttpFilter will attempt to set this value to 5 minutes so that frequent calls to SmbSession.logon() do not provoke redundant messages being submitted to the domain controller. If it is not desirable to cache password hashes set this value back to 15000. |
jcifs.netbios.cachePolicy | When a NetBIOS name is resolved with the NbtAddress class it is cached to reduce redundant name queries. This property controls how long, in seconds, these names are cached. The default is 30 seconds, 0 is no caching, and -1 is forever. When NTLM HTTP Authentication is used, NtlmHttpFilter will attempt to set this value to 10 minutes so that frequent queries for a domain controller will be cached. |
Exception MalformedURLException: unknown protocol: smb at java.net.URL.(URL.java:480) at java.net.URL.(URL.java:376) at java.net.URL.(URL.java:330) at jcifs.smb.SmbFile.(SmbFile.java:355) ...
<init-parameter> <parameter-name>jcifs.netbios.hostname</parameter-name> <parameter-value>MYHOSTNAME</parameter-value> </init-parameter>
http://davenport.sourceforge.net/ntlm.html
http://www.innovation.ch/java/ntlm.html