[jcifs] NTLM HTTP authentication
Michael B. Allen
miallen at eskimo.com
Fri Aug 30 05:16:38 EST 2002
On Thu, 29 Aug 2002 06:20:23 -0400
"Glass, Eric" <eric.glass at capitalone.com> wrote:
> Attached are some minor changes -- this adds a "jcifs.http.useBasic"
> initparameter which determines whether to enable basic authentication. I
> currently use IIS with both NTLM and Basic enabled, over HTTPS. That is
> basically what I am trying to duplicate/replace here; IE clients get the
> nice single-sign-on functionality, but the non-NTLM-capable clients can
> still authenticate.
Let's say for a second that you were not using NTLM at all but just
Authentication: Basic instead. If you needed to secure that login would you
add HTTPS independantly? Are the two configurations (meaning Filter and
mapping deployment descriptors) separate? How does your implementation of
Authentication: Basic differ from the standard authentcication setup for
whatever container if you factor out the NTLM part? If they're not
different, how can you be sure?
> As to the issue below -- I am not sure if doFilter can be guaranteed
> synchronized in the same manner as servlets (via implementation of
> SingleThreadModel). If I understand correctly (I might not, since I am
> fairly new to NTLM), the issue isn't so much synchronization as it is the
> fact that the protocol requires multiple requests; even if the doFilter
> method was synchronized, it would not be synchronized over multiple
> requests. If I understand this stuff properly, this is the "normal"
> scenario:
Actually I didn't mean that the actual method itself was "syncronized". You
can tell that by just looking at the method signature. I was wondering if
it was called synchronously. But in hind sight this is cannot be. That
would be hidiously slow (and unnecessary in most cases).
> 1. Client accesses the page.
> 2. Server sends the initial WWW-Authenticate message.
> 3. Client repeats the request with the type-1 message. Server initializes
> the NtlmHttpSession object and stores it in the HttpSession.
> 4. Server sends back an WWW-Authenticate containing the type-2 challenge.
> 5. Client repeats the request with the type-3 message, responding to the
> challenge. Server retrieves the NtlmHttpSession object from the
> HttpSession, and checks the response (authenticating the user against the
> domain).
> 6. Server sends back the content.
>
> If I understand your issue, the NetworkExplorer application requires that
> the challenge in step 4 (and the corresponding response) reflect the values
> provided by the server hosting the SMB resource being accessed (which may be
> different from the values initially negotiated). Is this correct?
Yes, exactly.
My issue is that the HttpSession object maintains the password hashes and
general state of the NTLM HTTP Authentication process. Even though the
current implementation is minorly flawed in that two or more requests could
be operating on that state at the same time, the challenge being sent and
hashes returned will be exactly the same so it still works just fine. You
can see this if you NTLM protect a page with a few graphics -- the browser
will submit a bunch of requests before the NTLM code can complete one full
NTLM negotiation. Like I said, this is OK though. It might be wise to just
syncronize those encoding/decoding messages though. I think we can also
bypass some of the negotiations after the first. That will speed things up
quite a bit. The POST requests submit the Authentication: NTLM header with
the type-1-message before form data will be submitted so we have to service
those requests.
The real problem right now is with using the negotiated credentials to
access SMB resources. The challenge in step 4 will be different and that
will cause the state of the NtlmHttpSession object to be inconsistent. I
think I'll just have to leave the filter alone and duplicate some of the
NTLM negotiation in an SMB resource accessing base class/servlet that users
can extend (like NetworkExplorer).
Actually the accessing of SMB resources with negotiated credentials creates
a more significant problem. If you use the NTLM HTTP Authentication process
to negotiate credentials for accessing an SMB resource you cannot also
negotiate credentals for validating against the domain controller. I don't
think it would work, nor would it be wise, to do NTLM HTTP Authentication
back to back over the same session. We might require that there be an
initial GET that authenticates thus freeing subsequent requests to
negotiate credentials for SMB resources but that's a little clumsy. So the
two operations are mutually exclusive. Any servlet that accesses SMB
resources will have to be configured NOT to be protected by NTLM HTTP
Authentication.
> -----Original Message-----
> From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
> Sent: Wednesday, August 28, 2002 11:52 PM
> To: 'jcifs at lists.samba.org'
> Subject: RE: [jcifs] NTLM HTTP authentication
>
>
> Does anyone know if doFilter is synchronzed? I'm having some serious issues
> getting
> this to work while accessing SMB resources at the same time with
> NetworkExplorer.
> Even without NetworkExplorer, if doFilter is not syncronized this
> implementation is
> somewhat flawed. If the client sent multiple requests with different
> credentials (not sure
> why it would do that but still) the NtlmHttpSession's state may become
> inconsistent. The
> problem with NetworkExplorer is that to access the SMB resource you have to
> use the
> challenge of the target server in the NTLM HTTP password hash negotiation
> which *does*
> result in different credentials (password hashes) and that's seriously
> mucking up the
> NtlmHttpSession. Geeze, I'm going to have to change this all around.
>
> **************************************************************************
> The information transmitted herewith is sensitive information intended only
> for use by the individual or entity to which it is addressed. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any review, retransmission, dissemination, distribution, copying or other
> use of, or taking of any action in reliance upon this information is
> strictly prohibited. If you have received this communication in error,
> please contact the sender and delete the material from your computer.
>
>
>
--
A program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the potential for it to be applied to tasks that are
conceptually similar and more importantly to tasks that have not
yet been conceived.
More information about the jcifs
mailing list