[jcifs] NtlmSsp - Closing sessions?

Bazyl, Steven sbazyl at rsasecurity.com
Thu Dec 19 12:18:08 EST 2002

> This will not work with "thousands of users". It might work with
> 200. 1000 users would require well over 1GB of ram just to hold the
> stacks of transport threads. Even if you do not use jCIFS at 
> all I would
> be surprised to see anything written in Java support more 
> than a couple
> hundred concurrent users. Not without a demultiplexer (e.g. 
> select(2)).

Yes, apps in Java can support (tens-of-)thousands of concurrent 'users'.
Details of that aside, isn't it just one transport thread per domain
controller regardless of the number of sessions?  I just did some testing of
authenticating a small number of users and there is only 1 transport thread
as expected.  Its the SmbSession objects that keep building up, however,
which is why I wanted the logoff call.

Anyway, please give yourself some credit -- JCifs actually performs pretty
well as far as just authenticating goes (at least in a single thread...I'll
try some multithreaded tests later :)  Could it be faster, probably, but it
works pretty well all things considered!

> But if you just stick 'public' in front of all the methods and build a
> closed source DCE/RPC implementation I will not be happy.

The only thing I'm intersted in (as the thread subject implies) is
incorporating the NTLM authentication functionality into a product.  Anyway,
it turns out that the modifications are pretty small for my needs - just
adding one method to SmbTransport:

    * Authenticate against a domain controller.  Unlike logon(), this does
not establish
    * a long-lived session for the user -- its purpose is simply to validate
the user password.
    * @param dc Domain Controller to authenticate against
    * @param auth User authentication info
    * @throws SmbException if authentication fails.
    public static void authenticate( UniAddress dc, 
                                     NtlmPasswordAuthentication auth )
throws SmbException {
        SmbSession session = null;
        try {
             // Don't register SmbSession with transport since we want this
to be stateless
             // As for side-effects, this appears to only be an issue if the
transport thread
             // is interrupted.  Any other failures, such as socket
timeouts, result in 
             // calling the SmbTransport.tryClose() and SmbSession.logoff()
methods with the
             // error flag set to true in which case the logoff is
effectively a no-op save a
             // few bits of cleanup.  But since we're discarding the session
anyway its
             // probably no big deal.
             session = new SmbSession( SmbTransport.getSmbTransport( dc, 0
), auth );
             session.getSmbTree( "IPC$", null ).treeConnect( null, null );
        } finally {
             if( session != null ) {
                 // Terminate the session
                 session.logoff( false );
                 session = null;

Again, thanks for your assistance :)

More information about the jcifs mailing list