[jcifs] A bunch of NTLM stuff

Michael B. Allen miallen at eskimo.com
Sat Oct 5 19:06:06 EST 2002

Thanks  for  this  code.  It was thought provoking. I have converted to the
stateless approach and it does seem more correct.

Note  however  that  your  code will choke after soTimeout because the same
NtlmPasswordAuthentication  object  is  being  used  by  SmbSession and you
create  new  ones.  My old code updated the hashes in-place so SmbSession's
pointer   didn't   need   to  be  updated.  Regardless,  I've  changed  the
SmbTransport.getSmbSession()      method      to     assign     the     new
NtlmPasswordAuthentication  object  to the SmbSession so that this will not
happing in my code or yours (post 0.7.0b3).

Also, note that the "domain" in the type-1-message is the workgroup and not
the  authentication domain. Frequently they are the same but not always. In
my  code,  I  do not even bother to use this field as a fallback domain and
instead  just  require a domainController property. The real authentication
domain is in the type-3-message.

On Tue, 1 Oct 2002 12:48:51 -0400
"Glass, Eric" <eric.glass at capitalone.com> wrote:

> I was having issues with the NtlmHttpSession (specifically, the
> NullPointerException people were reporting yesterday).  I started to rework
> some stuff, and basically ended up reimplementing much of the filter/network
> explorer so it works statelessly.  I changed the names of the classes so
> they can coexist with the existing stuff, but basically these are:
> NtPrincipal -- an implementation of java.security.Principal representing an
> authenticated domain user.
> NtlmProtocol -- an abstraction of the NTLM protocol itself, basically
> 	a) producing a type 2 byte[] challenge from a type 1 byte[] request;
> 	b) processing a type 3 byte[] response to produce an
> NtlmPasswordAuthentication object; and 
> 	c) logging on to a server with the NtlmPasswordAuthentication object
> to produce an NtPrincipal.  By default the server used to generate the
> challenge and evaluate the SmbSession.logon is obtained either via the
> "jcifs.http.domainController" property, or by NbtAddress.getByName(domain,
> 0x1c, null), etc.  See below for more notes.
> NtlmProtocolHandler -- a driver for managing HTTP interaction with the NTLM
> authentication protocol.
> NtlmAuthFilter -- a Filter which uses the NtlmProtocolHandler to
> authenticate against the domain.  This is more or less a reworking of
> NtlmHttpFilter.  After filtering, the request's getUserPrincipal and
> getRemoteUser will reflect the information in NtPrincipal.  This uses the
> default NtlmProtocol implementation to generate the challenge and logon.
> SmbBrowser -- This is similar to a very stripped down NetworkExplorer.  This
> DOES NOT use the NtlmAuthFilter (in fact, it probably won't work in
> conjunction with it).  It is basically installed with a servlet-mapping of
> something like "/SMB/*", so pointing your browser at:
> http://localhost/SMB/smbserver/share/dir/file
> will retrieve
> \\smbserver\share\dir\file
> The type 2 challenge and logon are done against the server on which the file
> resides ("smbserver" in the above example) by subclassing NtlmProtocol.
> Directory listing is fairly spartan (not nearly as pretty as
> NetworkExplorer).  You can also specify a default server if you want to
> force an authentication to "smb://", otherwise it will basically just do new
> SmbFile("smb://").
> I haven't tested any of this thoroughly, but it appears to work for me.
> Hopefully at least some of this is helpful to someone.
> Eric
> **************************************************************************
> The information transmitted herewith is sensitive information intended only
> for use by the individual or entity to which it is addressed. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any review, retransmission, dissemination, distribution, copying or other
> use of, or taking of any action in reliance upon this information is
> strictly prohibited. If you have received this communication in error,
> please contact the sender and delete the material from your computer.

A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and more importantly to tasks that have not
yet been conceived. 

More information about the jcifs mailing list