[jcifs] A bunch of NTLM stuff
Michael B. Allen
miallen at eskimo.com
Sat Oct 5 19:06:06 EST 2002
Thanks for this code. It was thought provoking. I have converted to the
stateless approach and it does seem more correct.
Note however that your code will choke after soTimeout because the same
NtlmPasswordAuthentication object is being used by SmbSession and you
create new ones. My old code updated the hashes in-place so SmbSession's
pointer didn't need to be updated. Regardless, I've changed the
SmbTransport.getSmbSession() method to assign the new
NtlmPasswordAuthentication object to the SmbSession so that this will not
happing in my code or yours (post 0.7.0b3).
Also, note that the "domain" in the type-1-message is the workgroup and not
the authentication domain. Frequently they are the same but not always. In
my code, I do not even bother to use this field as a fallback domain and
instead just require a domainController property. The real authentication
domain is in the type-3-message.
On Tue, 1 Oct 2002 12:48:51 -0400
"Glass, Eric" <eric.glass at capitalone.com> wrote:
> I was having issues with the NtlmHttpSession (specifically, the
> NullPointerException people were reporting yesterday). I started to rework
> some stuff, and basically ended up reimplementing much of the filter/network
> explorer so it works statelessly. I changed the names of the classes so
> they can coexist with the existing stuff, but basically these are:
> NtPrincipal -- an implementation of java.security.Principal representing an
> authenticated domain user.
> NtlmProtocol -- an abstraction of the NTLM protocol itself, basically
> a) producing a type 2 byte challenge from a type 1 byte request;
> b) processing a type 3 byte response to produce an
> NtlmPasswordAuthentication object; and
> c) logging on to a server with the NtlmPasswordAuthentication object
> to produce an NtPrincipal. By default the server used to generate the
> challenge and evaluate the SmbSession.logon is obtained either via the
> "jcifs.http.domainController" property, or by NbtAddress.getByName(domain,
> 0x1c, null), etc. See below for more notes.
> NtlmProtocolHandler -- a driver for managing HTTP interaction with the NTLM
> authentication protocol.
> NtlmAuthFilter -- a Filter which uses the NtlmProtocolHandler to
> authenticate against the domain. This is more or less a reworking of
> NtlmHttpFilter. After filtering, the request's getUserPrincipal and
> getRemoteUser will reflect the information in NtPrincipal. This uses the
> default NtlmProtocol implementation to generate the challenge and logon.
> SmbBrowser -- This is similar to a very stripped down NetworkExplorer. This
> DOES NOT use the NtlmAuthFilter (in fact, it probably won't work in
> conjunction with it). It is basically installed with a servlet-mapping of
> something like "/SMB/*", so pointing your browser at:
> will retrieve
> The type 2 challenge and logon are done against the server on which the file
> resides ("smbserver" in the above example) by subclassing NtlmProtocol.
> Directory listing is fairly spartan (not nearly as pretty as
> NetworkExplorer). You can also specify a default server if you want to
> force an authentication to "smb://", otherwise it will basically just do new
> I haven't tested any of this thoroughly, but it appears to work for me.
> Hopefully at least some of this is helpful to someone.
> The information transmitted herewith is sensitive information intended only
> for use by the individual or entity to which it is addressed. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any review, retransmission, dissemination, distribution, copying or other
> use of, or taking of any action in reliance upon this information is
> strictly prohibited. If you have received this communication in error,
> please contact the sender and delete the material from your computer.
A program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the potential for it to be applied to tasks that are
conceptually similar and more importantly to tasks that have not
yet been conceived.
More information about the jcifs