[jcifs] RE: Authentication: NTLM

[Michael B. Allen]

On Sun, 11 Aug 2002 13:38:32 -0500
"skeetz" <skeetz at 8thdeadlysim.com> wrote:

> Sorry about my earlier post.  I'll slow down and explain things better.
> There are actually a couple of issues I need to address.
> 
> NEED TO AUTHENTICATE EACH TIME
> 
> In your implementation, once the session has been authenticated with jcifs,
> you keep that session variable and you don't do the 3 step ntlm
> authentication anymore.  The problem is that if you have a <FORM
> method=post> tag, ie (once NTLM authenticated) will not send that data on
> the first try.  It expects to have the ntlm authentication every page so it
> waits until the authentication is done before actually posting the data.
> This makes sense because if it were posting a 1 meg file, it would be
> ridiculous for ie to post it all three times when it knows the first 2 are
> going to be discarded.

Ahh,  I  see.  Much  clearer.  So  IE  *does*  change  it's  behavior after
negotiating  NTLM.  Is  this *only* for the POST method? I wonder if we can
selectively  handle  POST  and not GET. Doing NTLM negotiation each time is
sort of a waste but I suppose if IIS does it we can't be faulted.

What we really need is someone to trace IE <--> IIS talking NTLM auth a bit
on  a  real site and see if it negotiates with every request or if it has a
higher level behaviour we should consider. 

> So what I started doing was just removing the session variable in my code
> right after it authenticates.  This seemed to slow things down, but this was
> just my observation and not real numbers.   If the SmbSession is just
> caching this, then my secondary cache is not needed.  (although it seems to
> work well)
> 
> NEED TO MOVE PARAMETERS FROM CONFIG FILE TO INIT PARAMS
> 
> When designing websites, you want to have all of the configuration in the
> server and web.xml config files.  This is what I have done.  init-param is a
> defined tag from the servlet spec.  You can see it in use in my web.xml file
> or you can look here http://www.caucho.com/resin/ref/filter-config.xtp  .
> using the -D startup option is crapy in my opinion.  A website will be more
> portable to application servers that may already be running and have an
> admin that doesn't want to restart the webserver.  This is me just being
> picky here.  I'm not trying to force anyone, but this is the way I'm doing
> it, I've rewritten the code, and I though I would share it with the group.
> Making an init-param for the file is ok, but not as good.  Something halfway
> would be deciding that the file will always be named <whatever> and exist in
> the WEB-INF directory of the application.  But then you just add one more
> file to put settings for the web application.
> 
> NOTE: I've only done the domainController variable.  I think that is all
> that I need.

Ahh, I see. Much clearer ;-) I just didn't know what an init-param was. The
only  issue  I have is that jCIFS has many properties. In theory any number
of  them  may  need to be set. Perhaps I can make the top 5 init-parameters
and then have an additional check for "jcifs.prp" in the WEB-INF directory.

Q: How do you know from within your code where the WEB-INF directory is?

> NEEDS TO RUN OUTSIDE OF ACTUAL WEB CODE (servlet jsp htm).
> 
> Using the filter that I have created, a jsp file could look like this.
> 
> <%
> out.println(session.getAttribute("username"));
> %>
> 
> There would be no authentication code mixed in with the code to run the
> website.  There may be a different/better way of doing this with an
> authenticator see
> http://www.caucho.com/resin/ref/security.xtp#authentication , but I'm not
> sure that this is portable to other application servers.

I'll leave the server specific stuff alone for a while. 

> Also, doing this as a filter allows admins to make sure that zip files
> aren't being downloaded by people who should not have access.  See the
> filter-mapping tag in web.xml file for the syntax.

I'm  a little shady on this (and JSP) but I'll look at your code. Hopefully
that will clear things up.

Q: If I have resin setup, am I ready to go to run JSPs? I never have before
(I don't think anyway). 

> 
> 
> HOW TO RUN MY CODE
> 
> download jcifs-0.7.0b.zip and copy what is under src into the
> <myapp>/WEB-INF/classes directory of your website.  Then just unzip my file
> into the WEB-INF directory and it will overwrite web.xml (have a backup) and
> it will overwrite jcifs/http/NtlmHttpSession.java and it will create my
> jcifs/http/NtlmHttpAuthenticator.java and LoginFilter.java.  This is all you
> need other that a test jsp file like the one above.
> 
> SUMMARY
> 
> I hope this helps clear things up.  Although I'm writing this at 1 am so I
> don't know how coherent this actually is.

Thanks  skeetz.  This  is  very  informative.  I  have a lot to learn about
Servlets,  Java  app  servers,  JSPs, and the like but I can see there will
need to be quite a few changes. 

> 
> skeetz
> 
> 
> -----Original Message-----
> From: jcifs-admin at lists.samba.org [mailto:jcifs-admin at lists.samba.org]On
> Behalf Of Allen, Michael B (RSCH)
> Sent: Sunday, August 11, 2002 4:49 PM
> To: 'skeetz'
> Cc: 'jcifs at samba.org'
> Subject: [jcifs] RE: Authentication: NTLM
> 
> 
> First, I don't know alot about servlets and such so please direct your
> messages
> to the jcifs at samba.org mailing list so that people who do understand can
> help
> sort these issues out. I'm just doing this based on my knowledge of
> networking
> and http.
> 
> > -----Original Message-----
> > From:	skeetz [SMTP:skeetz at 8thdeadlysim.com]
> > Sent:	Friday, August 09, 2002 12:42 PM
> > To:	Allen, Michael B (RSCH)
> > Subject:	RE: Authentication: NTLM
> >
> > I am waiting for instructions to signup on the list.  Here is what I've
> > discovered using this.
> >
> > 1) I think ie expects to get authenticated page.
> >
> 	What is an "authenticated page"?
> 
> > 2) ie won't post any form data until it has finished this process.
> > so you have to authenticate every time.
> >
> 	Not sure what you mean here. You don't have to authenticate "every time".
> The
> 	server provokes the NTLM authentication mechanism and therefore decides
> 	who needs to authenticate and how often. Perhaps you are using POST instead
> 	of GET? In this case my intention was that you call NtlmHttpSession.logon
> 	from within your doPost but I have never tried. Or are you saying that IE
> 	changes it's behavior once you've negotiated NTLM?
> 
> >   So what I did:
> > 1) made a filter so that each page can be authenticated with out really
> > messing with the jsp/htm/zip/whatever files.
> >
> 	I'll look at your code but I'm getting more confused now.
> 
> > 2) made it so the ip for the primary domain controler is an init-param.
> >
> 	Why is this useful? Are the "domain" and "soTimeout" properties init
> 	parameters too? Perhaps these properties should be attributes? Are you
> trying
> 	to avoid the jcifs.properties file JRE parameter? If so, we could make the
> 	jcifs.properties file and "init-parameter". Actually, what exactly is an
> "init
> 	parameter". Do you mean a logon() method parameter?
> 
> > 3) made it so that it will authenticate the first time and save the
> > challenge and the browser's encoded 3rd message.  Then on future pages, it
> > just sends the same challenge and test the if the encoded response is the
> > same as the saved one.
> >
> 	The jCIFS SmbSession class already essentially does this. If an SmbSession
> 	exists with a matching password hash it will reuse that session making the
> 	SmbSession.logon() method a no-op. So if you want to just provoke the
> 	NTLM password hash negotiation "every time" we could just reorganize the
> 	NtlmHttpSession.logon() code to perform the whole process (or part of it)
> 	each time. But it's not clear to me that this is necessary.
> 
> > I didn't do stress testing on what you had, but once my deal
> authenticates,
> > it is only a matter of a string compare (on the third attempt of course).
> > Also if the domainControler (ip) is given it runs alot faster not having
> to
> > do the netbios lookup.
> >
> 	It shouldn't be slower to the point that you could notice. If it is, your
> name
> 	service is timing out and trying another resolution method. If you have a
> 	wins server and you set the wins and resolveOrder=WINS properties it
> 	should be just as fast and after the first lookup the name is cached.
> 
> > I've attached a slimed downed version of what I'm using for my project.  I
> > hope this helps.  You'll probably pissed that I didn't follow your coding
> > standard.  I'm just used to two spaces and certain other things.  Anyway
> it
> > should give you an idea.
> >
> > skeetz
> > p.s. Thanks again for getting this to work.
> >
> 	You welcome. I'll look at your code and try to decipher what your talking
> about
> 	but it might take me a while. I have never used servlets or jsps. If
> someone can
> 	explain to me exactly how this should work in an optimal way it would be
> 	great to sort this out right away and do an updated release.
> 
> 	Mike
> 
> 
> 


-- 
A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and more importantly to tasks that have not
yet been conceived.