[jcifs] Using jcifs to validate users against NT

[Pugsley, Jason]

Hi,

Somewhat off topic to this discussion, but I've been working on a similar
task. I'm using tomcat and jcifs, but in a slightly different way. My users
are on the company intranet, and (because of company policy) use Internet
Explorer by default. Many of the company's web sites started using NTLM
authentication between the users' IE and web site's IIS servers. I've been
using Java and Tomcat on a Solaris box but I wanted the same transparent
logon for my users.

I created a new authentication class in Tomcat, a new class in jcifs, and
some modifications to some jcifs classes. The logon process goes something
like this:
. Web browser requests web page
. Web server checks if user is already authenticated, bypasses rest is they
are.
. Create a Tomcat session to persist jcifs data
. Create the UniAddress objects for PDC and BDC
. Send response to browser saying Authenticate with NTLM
. Browser sends domain and host information
. Server connects to PDC or BDC with SmbTransport.getSmbTransport(dc, port)
. Send response to browser including transport.server.encryptionKey
. Browser sends domain, host and username as well as encoded LM and NT
passwords
 Server sends username, encoded LM and NT passwords and domain to
transport.getSmbSession()
. If SmbAuthException or SmbException is thrown, reject logon otherwise
accept user

Because the passwords from IE needed the encryptionKey from the domain
controller, and because they then return already encoded passwords, I needed
to modify some of the jcifs classes and create one of my own within smb to
have access to protected package level objects (if someone knows more Java
and a non-intrusive way to add my code please let me know).

To pass and process the already encoded passwords, I had to make additions
to SmbComSessionSetupAndX.java, SmbSession.java, and SmbTransport.java

The changes were mostly in constructors to allow passing the 2 encoded
passwords, and a test to skip encoding the already encoded passwords at
wrtieParameterWordsWireFormat() in SmbComSessionSetupAndX.java

I also created SmbNTLM.java in the same package so there is a publicly
accessible interface for Tomcat to use.

The changes are minimal, but would need more testing at someone else's site
to be sure it works properly - I know it does for me, but my site does not
get high traffic.

I've already mentioned this to the Tomcat developers as I thought it might
be something other Tomcat web sites would find useful - I didn't get much of
a response as I suspect most Tomcat developers don't work in an NT based
intranet like me.

So, would it be appropriate to include my changes in jcifs, or is it out of
the scope of the jcifs project. My understanding is that in order to get to
the protected methods and data in the jcifs.smb package, my changes/classes
need to be within that package. I can't simply create a new package outside
jcifs and get to the innards of the jcifs classes, or am I not understanding
something about Java.

Kind regards,

Jason Pugsley.

-----Original Message-----
From: Michael B.Allen [mailto:mballen at erols.com]
Sent: Saturday, March 30, 2002 7:35 AM
To: Tolman-Kevin
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Using jcifs to validate users against NT


On Fri, 29 Mar 2002 08:24:48 -0800
Tolman-Kevin <Tolman-Kevin at vikingfreight.com> wrote:

> 
> Hello,
> 
> I need to validate user id and password against their NT log in's from
a servlet application running on linux/tomcat. I have tried usig jcifs
to connect to an NT server using the supplied user id and password and
then doing  a SmbFile[] files = file.listFiles();. If a list of files is
returned the > userid/password is a valid NT log in and if an exception
is thrown I determine that the userid/password  is not a valid NT log in.

listFiles is a pretty heavy operation to do that. Set up a file somewhere
and try to just open it with new SmbFileInputStream(). That will throw
an Exception if the user is not valid. You can also tweek the ACL list
on that "peer" file to get a little better access control for groups of
users but I've never tried that so I don't know how well it would work
in practice. The real way to authenticate user is with the NETLOGON
DCE/RPC call but we don't support DCE/RPC at this time.

> 
> This works except that after three invalid attempts I am locked
out. Any subsequent attempts will always fail until a certian time out
period passes. I am afraid that if I try this from a servlet app that
one user failing to log on will lock up the app for all users. Is this
the case? Is there a way > around this? Has anyone else been able to
validate a user against NT using jcifs?  > > I have tried changing all
of the properties in the jcifs.prp file but that has not helped.

This has nothing to do with jCIFS. That policy is set on the domain
controller but I don't see a problem anyway. If the user enters the wrong
password three times they're locked out. That's the policy so they just
shouldn't enter the wrong password three times in a row.

Mike

-- 
May The Source be with you.