[jcifs] Tomcat NTLM authentication with JCIFS

Wed May 22 17:36:08 EST 2002

Jason has submitted the NTLM authentication code he spoke of previously. I
have not examined it very closely but I have prepared two archives;
jcifs-ntlm-auth-0.6.4.{tgz,zip} available in the normal download
area. Perhaps Tomcat users can try it out and calaborate with him before
I figure out how exactly to include the code.

Thanks Jason,
Mike

--8<--

On Wed, 22 May 2002 11:04:20 +1000
"Pugsley, Jason" <Jason.Pugsley at team.telstra.com> wrote:

Mike,

I wrote to the mailing list several weeks ago detailing a project I was
working on to get seamless user authentication to a java web server with the
Internet Explorer NTLM "protocol". I've had some time recently to work on
the code, and I'd like to submit it for your examination.

The changes to existing JCIFS .java files from release 0.6.3:

jcifs/UniAddress.java

  Changed the constructor to be public.

jcifs/smb/SmbSession.java

  Added new instance variables to hold pre-encrypted passwords.
  Added a new constructor to take pre-encrypted passwords.

jcifs/smb/SmbTransport.java

  Added a new getSmbSession() that takes pre-encrypted passwords.
  Commented out session caching. Caching doesn't work for my purposes but
removing it might break other things. Please check this one for me!!

jcifs/smb/SmbComSessionSetupAndX.java

  Added code to writeParameterWordsWireFormat() to check if we're using
pre-encrypted passwords and use those instead of encrypting the clear-text
ones.

I also added a new file/class SmbNTLM.java for the web server NTLM based
code.

If you have the time, maybe you could test this in your environment. If you
pass the changes I've made to JCIFS, then I'd hope to get others to test in
their environments too.

    [This does look very interesting Jason. I will look at this closely
    but for now I think I should just upload it "as is" because I know
    there are others that are interested in this sort of thing - mba]

Test environment setup procedures:

I've been working with the latest available release of Tomcat. It would be
best if you could use it in your test environment. If not let me know what
version you have and I'll see if I can customise my code. Here's the
download:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.0-alpha/bin
/jakarta-tomcat-4.1.0-LE-jdk14.tar.gz

After you've installed Tomcat, follow these instructions:

Edit $CATALINA_HOME/conf/tomcat-users.xml
Add your NT login ID with a blank password and appropriate roles.
Keep in mind tomcat usernames are case sensitive, but NTLM is not,
so be sure to add all usernames in uppercase to work properly.

<user username="JPUGSLEY" password="" roles="tomcat,role1"/>

Copy the supplied  jcifs-0.6.3.jar to
$CATALINA_HOME/server/lib

Overwrite the existing  catalina.jar  in $CATALINA_HOME/server/lib
with the supplied one.

Testing is done with the standard JSP example security test page.
As shipped, it is set up to use form based authentication. You need
to change it to NTLM based authentication.

Edit $CATALINA_HOME/webapps/examples/WEB-INF/web.xml
Replace these lines from the file

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
        <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
      </form-login-config>
    </login-config>

with these lines

    <!-- Default login configuration uses NTLM-based authentication -->
    <login-config>
      <auth-method>NTLM</auth-method>
      <realm-name>Example NTLM-Based Authentication Area</realm-name>
    </login-config>

Edit $CATALINA_HOME/bin/catalina.sh
Add configuration entries as necessary. At least specify your jcifs
properties file.

CATALINA_HOME=/opt/tomcat
CATALINA_OPTS=-Djcifs.properties=${CATALINA_HOME}/conf/jcifs.prp

Here is a suggested list of entries for your jcifs.prp file, edit for your
environment:

; wins and domain are necessary
wins=XXX.XXX.XXX.XXX
domain=MYDOMAIN
; client hostname is optional, but recommended
hostname=MYWEBBOX
; Set this to suit your environment or use default. (LMHOSTS,WINS,BCAST,DNS)
resolveOrder=WINS,DNS,BCAST
; For debugging
log=ALL

Now start the tomcat server.
$CATALINA_HOME/bin/startup.sh

If you have logging turned on in jcifs.prp, try tailing
$CATALINA_HOME/logs/catalina.out  and
$CATALINA_HOME/logs/localhost_examples_log.XXXX-XX-XX.txt

Then point your browser to
http://yourwebserver:8080/examples/jsp/security/protected

If your computer is part of a domain, then you should get access straight
away.

If your computer is part of a workgroup, then you might get a password
dialog. Depending on your version of IE and Windows, you'll get either 2
or 3 text boxes for your credentials.
If 2, then User Name will be DOMAIN\USERNAME
If 3, then you will have a separate box for each of User Name and Domain.

    [This sounds nice. I think I have a use for this at work myself. - mba]

I'm still in the process of learning the internals of Tomcat and JCIFS so I
apologise if my code is a bit sloppy. I hope we can work on the JCIFS
components. Once the SmbNTLM class is frozen, I can start pushing the
jakarta-tomcat people to include my NTLM changes. There's no guarantee this
will every happen though - the developers there seem to have little interest
in this idea. Maybe I'll look at some other java web servers - like Jetty
for example.

    [I don't think the existing code can go in "as is" but I haven't
    looked at it too closely yet. I would rather it not be specific to
    Tomcat. Someone should be able to use Resin or just CGI. In theory
    it should be possible to abstract that possibly handling HTTP
    request/responses directly and without interfereing with the core
    code too much. - mba]

Let me know what you think and how you get on.

Kind Regards,

Jason Pugsley.