[jcifs] NTLM HTTP authentication

Glass, Eric eric.glass at capitalone.com
Thu Aug 29 20:20:23 EST 2002 

Attached are some minor changes -- this adds a "jcifs.http.useBasic"
initparameter which determines whether to enable basic authentication.  I
currently use IIS with both NTLM and Basic enabled, over HTTPS.  That is
basically what I am trying to duplicate/replace here; IE clients get the
nice single-sign-on functionality, but the non-NTLM-capable clients can
still authenticate.

As to the issue below -- I am not sure if doFilter can be guaranteed
synchronized in the same manner as servlets (via implementation of
SingleThreadModel).  If I understand correctly (I might not, since I am
fairly new to NTLM), the issue isn't so much synchronization as it is the
fact that the protocol requires multiple requests; even if the doFilter
method was synchronized, it would not be synchronized over multiple
requests.  If I understand this stuff properly, this is the "normal"
scenario:

1. Client accesses the page.
2. Server sends the initial WWW-Authenticate message.
3. Client repeats the request with the type-1 message.  Server initializes
the NtlmHttpSession object and stores it in the HttpSession.
4. Server sends back an WWW-Authenticate containing the type-2 challenge.
5. Client repeats the request with the type-3 message, responding to the
challenge.  Server retrieves the NtlmHttpSession object from the
HttpSession, and checks the response (authenticating the user against the
domain).
6. Server sends back the content.

If I understand your issue, the NetworkExplorer application requires that
the challenge in step 4 (and the corresponding response) reflect the values
provided by the server hosting the SMB resource being accessed (which may be
different from the values initially negotiated).  Is this correct?


-----Original Message-----
From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
Sent: Wednesday, August 28, 2002 11:52 PM
To: 'jcifs at lists.samba.org'
Subject: RE: [jcifs] NTLM HTTP authentication


Does anyone know if doFilter is synchronzed? I'm having some serious issues
getting
this to work while accessing SMB resources at the same time with
NetworkExplorer.
Even without NetworkExplorer, if doFilter is not syncronized this
implementation is
somewhat flawed. If the client sent multiple requests with different
credentials (not sure
why it would do that but still) the NtlmHttpSession's state may become
inconsistent. The
problem with NetworkExplorer is that to access the SMB resource you have to
use the
challenge of the target server in the NTLM HTTP password hash negotiation
which *does*
result in different credentials (password hashes) and that's seriously
mucking up the
NtlmHttpSession. Geeze, I'm going to have to change this all around.
 
**************************************************************************
The information transmitted herewith is sensitive information intended only
for use by the individual or entity to which it is addressed. If the reader
of this message is not the intended recipient, you are hereby notified that
any review, retransmission, dissemination, distribution, copying or other
use of, or taking of any action in reliance upon this information is
strictly prohibited. If you have received this communication in error,
please contact the sender and delete the material from your computer.
  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: NtlmHttpFilter.java
Type: application/octet-stream
Size: 9559 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020829/2da06b9a/NtlmHttpFilter.obj

More information about the jcifs mailing list