[jcifs] RE: Authentication: NTLM

skeetz skeetz at 8thdeadlysim.com
Mon Aug 12 04:38:32 EST 2002


Sorry about my earlier post.  I'll slow down and explain things better.
There are actually a couple of issues I need to address.

NEED TO AUTHENTICATE EACH TIME

In your implementation, once the session has been authenticated with jcifs,
you keep that session variable and you don't do the 3 step ntlm
authentication anymore.  The problem is that if you have a <FORM
method=post> tag, ie (once NTLM authenticated) will not send that data on
the first try.  It expects to have the ntlm authentication every page so it
waits until the authentication is done before actually posting the data.
This makes sense because if it were posting a 1 meg file, it would be
ridiculous for ie to post it all three times when it knows the first 2 are
going to be discarded.

So what I started doing was just removing the session variable in my code
right after it authenticates.  This seemed to slow things down, but this was
just my observation and not real numbers.   If the SmbSession is just
caching this, then my secondary cache is not needed.  (although it seems to
work well)

NEED TO MOVE PARAMETERS FROM CONFIG FILE TO INIT PARAMS

When designing websites, you want to have all of the configuration in the
server and web.xml config files.  This is what I have done.  init-param is a
defined tag from the servlet spec.  You can see it in use in my web.xml file
or you can look here http://www.caucho.com/resin/ref/filter-config.xtp  .
using the -D startup option is crapy in my opinion.  A website will be more
portable to application servers that may already be running and have an
admin that doesn't want to restart the webserver.  This is me just being
picky here.  I'm not trying to force anyone, but this is the way I'm doing
it, I've rewritten the code, and I though I would share it with the group.
Making an init-param for the file is ok, but not as good.  Something halfway
would be deciding that the file will always be named <whatever> and exist in
the WEB-INF directory of the application.  But then you just add one more
file to put settings for the web application.

NOTE: I've only done the domainController variable.  I think that is all
that I need.

NEEDS TO RUN OUTSIDE OF ACTUAL WEB CODE (servlet jsp htm).

Using the filter that I have created, a jsp file could look like this.

<%
out.println(session.getAttribute("username"));
%>

There would be no authentication code mixed in with the code to run the
website.  There may be a different/better way of doing this with an
authenticator see
http://www.caucho.com/resin/ref/security.xtp#authentication , but I'm not
sure that this is portable to other application servers.

Also, doing this as a filter allows admins to make sure that zip files
aren't being downloaded by people who should not have access.  See the
filter-mapping tag in web.xml file for the syntax.


HOW TO RUN MY CODE

download jcifs-0.7.0b.zip and copy what is under src into the
<myapp>/WEB-INF/classes directory of your website.  Then just unzip my file
into the WEB-INF directory and it will overwrite web.xml (have a backup) and
it will overwrite jcifs/http/NtlmHttpSession.java and it will create my
jcifs/http/NtlmHttpAuthenticator.java and LoginFilter.java.  This is all you
need other that a test jsp file like the one above.

SUMMARY

I hope this helps clear things up.  Although I'm writing this at 1 am so I
don't know how coherent this actually is.

skeetz


-----Original Message-----
From: jcifs-admin at lists.samba.org [mailto:jcifs-admin at lists.samba.org]On
Behalf Of Allen, Michael B (RSCH)
Sent: Sunday, August 11, 2002 4:49 PM
To: 'skeetz'
Cc: 'jcifs at samba.org'
Subject: [jcifs] RE: Authentication: NTLM


First, I don't know alot about servlets and such so please direct your
messages
to the jcifs at samba.org mailing list so that people who do understand can
help
sort these issues out. I'm just doing this based on my knowledge of
networking
and http.

> -----Original Message-----
> From:	skeetz [SMTP:skeetz at 8thdeadlysim.com]
> Sent:	Friday, August 09, 2002 12:42 PM
> To:	Allen, Michael B (RSCH)
> Subject:	RE: Authentication: NTLM
>
> I am waiting for instructions to signup on the list.  Here is what I've
> discovered using this.
>
> 1) I think ie expects to get authenticated page.
>
	What is an "authenticated page"?

> 2) ie won't post any form data until it has finished this process.
> so you have to authenticate every time.
>
	Not sure what you mean here. You don't have to authenticate "every time".
The
	server provokes the NTLM authentication mechanism and therefore decides
	who needs to authenticate and how often. Perhaps you are using POST instead
	of GET? In this case my intention was that you call NtlmHttpSession.logon
	from within your doPost but I have never tried. Or are you saying that IE
	changes it's behavior once you've negotiated NTLM?

>   So what I did:
> 1) made a filter so that each page can be authenticated with out really
> messing with the jsp/htm/zip/whatever files.
>
	I'll look at your code but I'm getting more confused now.

> 2) made it so the ip for the primary domain controler is an init-param.
>
	Why is this useful? Are the "domain" and "soTimeout" properties init
	parameters too? Perhaps these properties should be attributes? Are you
trying
	to avoid the jcifs.properties file JRE parameter? If so, we could make the
	jcifs.properties file and "init-parameter". Actually, what exactly is an
"init
	parameter". Do you mean a logon() method parameter?

> 3) made it so that it will authenticate the first time and save the
> challenge and the browser's encoded 3rd message.  Then on future pages, it
> just sends the same challenge and test the if the encoded response is the
> same as the saved one.
>
	The jCIFS SmbSession class already essentially does this. If an SmbSession
	exists with a matching password hash it will reuse that session making the
	SmbSession.logon() method a no-op. So if you want to just provoke the
	NTLM password hash negotiation "every time" we could just reorganize the
	NtlmHttpSession.logon() code to perform the whole process (or part of it)
	each time. But it's not clear to me that this is necessary.

> I didn't do stress testing on what you had, but once my deal
authenticates,
> it is only a matter of a string compare (on the third attempt of course).
> Also if the domainControler (ip) is given it runs alot faster not having
to
> do the netbios lookup.
>
	It shouldn't be slower to the point that you could notice. If it is, your
name
	service is timing out and trying another resolution method. If you have a
	wins server and you set the wins and resolveOrder=WINS properties it
	should be just as fast and after the first lookup the name is cached.

> I've attached a slimed downed version of what I'm using for my project.  I
> hope this helps.  You'll probably pissed that I didn't follow your coding
> standard.  I'm just used to two spaces and certain other things.  Anyway
it
> should give you an idea.
>
> skeetz
> p.s. Thanks again for getting this to work.
>
	You welcome. I'll look at your code and try to decipher what your talking
about
	but it might take me a while. I have never used servlets or jsps. If
someone can
	explain to me exactly how this should work in an optimal way it would be
	great to sort this out right away and do an updated release.

	Mike


-------------- next part --------------
A non-text attachment was scrubbed...
Name: WEB-INF.zip
Type: application/x-zip-compressed
Size: 4523 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020811/82fee5d5/WEB-INF.bin


More information about the jcifs mailing list