[jcifs] jCIFS and WebNFS (and now JAAS...)

Michael B Allen mballen at erols.com
Tue Feb 19 16:23:33 EST 2002

On Mon, 18 Feb 2002 19:55:46 -0500 (EST)
Brian Topping <brian at ponoi.com> wrote:
> > I don't really think that helps you all that much in the A&A areas, 
> > though. From what I understand, that's going to require some big 
> > additions to the jcifs.smb package...
> Indeed.  I've had way too short a time on this project to be having any amazing 
> architectural moments to be proud of, but the client isn't too keen on artistic 
> expression right now...
> Regardless, I started taking a look at JAAS over the last hour or so and 
> started to ponder whether it might be an appropriate wrapper for FS transports  
> (WebNFS/jCIFS/etc).  The idea that I am pondering is whether the method calls 
> of the specific FS transports should be wrapped as JAAS PrivilegedActions, then 
> leverage JAAS to take care of the grimy details in A&A.  In my half-baked 
> understanding of JAAS and the state of the FS transports, they compliment each 
> other almost precisely with their respective levels of completion and areas of 
> competency.  I'm not too intimate with any of the protocol exchanges though, so 
> I need to bone up a little there too.

I'm not really familar with JAAS but this idea of yours would undoubtedly
involve creating files on a server somewhere for each permission. This
will probably work ok for you but it might become slow under heavy load
(going through a middle man) and your clients might start looking at
you funny for asking them to tweek ACLs on some files somewhere.

The *right* way to do this is to implement the various authentication
related RPCs that query the domain controller for these permissions. But
it will be a while before jCIFS has DCE/RPC functionality. It's the
holy grail of funtionality for us though because if opens the flood
gates to a whole new world of great things you can do to windows
machines from checking ACL permissions, enumerating long share names,
and authenticating users to what Luke Leighton says "is the best remote
function in the entire MSRPC API set": RegShutdown.

> I'm going to keep hammering on this track, but I am certainly interested in 
> comments if I have been breathing too many fumes all day :)

Don't ponder it too much, the only authentication mechanism that jCIFS
has is authenticating with a file server a la NTLMv1 and of course what
comes with trying to operate on a file for which the permissions are
under ACL control. That's it.


May The Source be with you.

More information about the jcifs mailing list