[jcifs] NTLM HTTP authentication
Glass, Eric
eric.glass at capitalone.com
Fri Aug 30 06:49:08 EST 2002
>
> Let's say for a second that you were not using NTLM
> at all but just
> Authentication: Basic instead. If you needed to secure that
> login would you
> add HTTPS independantly? Are the two configurations
> (meaning Filter and
> mapping deployment descriptors) separate?
> How does your implementation of
> Authentication: Basic differ from the standard
> authentcication setup for
> whatever container if you factor out the NTLM part?
> If they're not
> different, how can you be sure?
>
>
I'm not sure I understand the question...
Using a Servlet Filter for authentication implies that the standard
authentication mechanisms provided by the servlet spec will NOT be employed;
In fact, they won't work. As an example, consider the following deployment
descriptor:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<filter>
<filter-name>NTLM</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.netbios.wins</param-name>
<param-value>10.4.9.100</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NTLM</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Root</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
This applies the NTLM filter, as well as specifying HTTP basic
authentication. What will happen when you visit this is:
1. The servlet container will use its (container-dependent) mechanism for
authenticating the user via Basic.
2. Once the user has successfully authenticated using the HTTP basic
mechanism, they will then have to negotiate NTLM authentication to actually
access the site.
If you are using Internet Explorer, you will be prompted to login (using
Basic), and then IE will negotiate NTLM. If you are NOT using Internet
Explorer, it is impossible to access the site, PERIOD -- you can login
(using Basic), but your browser will be unable to negotiate the NTLM
authentication.
Assuming you want all clients to be able to access the site, and you want to
require them to authenticate against the domain, you have 2 choices:
1. Implement a servlet container-specific extension to provide another
"NTLM" auth-method to the standard deployment descriptor; or
2. Capture the login information sent during a Basic authentication, and
use that username and password to authenticate against the domain.
You could implement the Basic authentication in a separate filter (which
would do an SmbSession.login); but you can't chain authenticators using the
Filter framework, so you wouldn't be able to allow IE clients to use the
NTLM protocol (they would be authenticated against the domain, but via basic
instead of NTLM). The only way to do an either/or is to implement them in
the same filter.
Note also that Basic is essentially the only mechanism you could do this way
-- DIGEST, etc. won't work because the password is never sent over the wire
and is therefore not available to the filter to perform the SmbSession.login
call.
**************************************************************************
The information transmitted herewith is sensitive information intended only
for use by the individual or entity to which it is addressed. If the reader
of this message is not the intended recipient, you are hereby notified that
any review, retransmission, dissemination, distribution, copying or other
use of, or taking of any action in reliance upon this information is
strictly prohibited. If you have received this communication in error,
please contact the sender and delete the material from your computer.
More information about the jcifs
mailing list