[jcifs] Alternative to jcifs.http.NtlmHttpFilter
Michael Piscatello
mpiscatello at directvinternet.com
Tue Oct 22 10:34:58 EST 2002
Mike,
I created a servlet that uses Eric's Ntlmservlet with no problem. I did not
get a chance to test it from a PC that was not already authenticated. From a
PC that was already logged into the domain, the servlet checked everything
against the DC just like it should. I wish I was more familiar with the
jcifs API so I could have put something in my servlet that would print out
the credentials that were verified. More testing tomorrow.
Mike
On 10/21/02 3:41 AM, "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com>
wrote:
> Michael,
>
> Please let us know how this works for you in a pre-2.3 Servlet environment.
>
> Eric,
>
> Depending on Michael's experience and with your permission I would like to
> insert the standard LGPL disclaimer and include this in the distro. Okay?
>
>> -----Original Message-----
>> From: Glass, Eric [SMTP:eric.glass at capitalone.com]
>> Sent: Thursday, October 17, 2002 5:00 AM
>> To: jcifs at lists.samba.org
>> Cc: 'melbaird at hotmail.com'; 'Allen, Michael B (RSCH)'; 'Michael
Piscatello'
>> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
>>
>> Attached is a servlet which uses the 0.7.0b4 NTLM stuff to do authentication
>> -- this should work in pre-2.3 Servlet environments. It only overrides the
>> "service" method, so if you are just implementing doGet, doPost, etc. it
>> should be a drop in replacement for HttpServlet; i.e., you can just change:
>>
>> public class MyServlet extends HttpServlet
>>
>> to:
>>
>> public class MyServlet extends NtlmServlet
>>
>> and be up and going. You would set all the jcifs.* parameters (domain
>> controller, etc.) via the servlet's initparameters (similar to the filter
>> configuration in 2.3+ environments).
>>
>> See also the notes just posted to the list regarding 0.7.0b4. If you don't
>> subscribe to the list the message in question is here:
>> http://lists.samba.org/pipermail/jcifs/2002-October/002693.html
>>
>>> -----Original Message-----
>>> From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
>>> Sent: Thursday, October 17, 2002 1:27 AM
>>> To: 'Michael Piscatello'; jcifs at lists.samba.org
>>> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
>>>
>>>
>>> I just noticed you said "pop-up". Do you mean the
>>> authentication dialog? NTLM
>>> SSP negotiates user password hashes on the fly. There's no
>>> need for a dialog.
>>>
>>> Not sure why you would want the dialog to come up but just in
>>> case, you can get it
>>> to come up if send "401 Unauthorized / WWW-Authenticate:
>>> NTLM" again *after you
>>> have already negotiated password hashes once*. But you'll
>>> have to read about how
>>> NTLM HTTP Authentication actually works before you get that
>>> far. Read the end of this:
>>> http://jcifs.samba.org/src/docs/ntlmhttpauth.html for starters.
>>>
>>>> -----Original Message-----
>>>> From: Michael Piscatello
>>> [SMTP:mpiscatello at directvinternet.com]
>>>> Sent: Wednesday, October 16, 2002 8:21 AM
>>>> To: Allen, Michael B (RSCH); jcifs at lists.samba.org
>>>> Subject: Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
>>>>
>>>> Mike,
>>>>
>>>> Thanks! RSN? I did try to adapt it, but it does not bring
>>> up the NTLM
>>>> challenge box. It returns, null and then after refreshing,
>>> brings back the
>>>> credentials, But I need the pop-up. Here is my code.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> Mike
>>>>
>>>>
>>>> import java.io.IOException;
>>>> import java.io.PrintWriter;
>>>>
>>>> import javax.servlet.ServletContext;
>>>> import javax.servlet.ServletException;
>>>> import javax.servlet.http.HttpServlet;
>>>> import javax.servlet.http.HttpServletRequest;
>>>> import javax.servlet.http.HttpServletResponse;
>>>> import javax.servlet.http.HttpSession;
>>>> import jcifs.UniAddress;
>>>> import jcifs.netbios.NbtAddress;
>>>> import jcifs.smb.SmbSession;
>>>> import jcifs.util.Base64;
>>>> import jcifs.http.NtlmHttpSession;
>>>>
>>>> public class jcifstest extends HttpServlet {
>>>>
>>>> public void doPost(
>>>> javax.servlet.http.HttpServletRequest request,
>>>> javax.servlet.http.HttpServletResponse response)
>>>> throws javax.servlet.ServletException, java.io.IOException {
>>>>
>>>> PrintWriter out = response.getWriter();
>>>> ServletContext context = getServletContext();
>>>> String domainController = "192.168.1.102";
>>>> String domain = "HOMEDOM";
>>>> boolean debug = true;
>>>> HttpServletRequest req;
>>>> HttpServletResponse resp;
>>>> HttpSession ssn;
>>>> NtlmHttpSession ntlm;
>>>> String msg;
>>>> byte[] src;
>>>>
>>>> try {
>>>> req = (HttpServletRequest) request;
>>>> resp = (HttpServletResponse) response;
>>>>
>>>> ssn = req.getSession(); /* Retrive the NTLM session
>>>> */
>>>> ntlm = (NtlmHttpSession)
>>> ssn.getAttribute("NtlmHttpSession");
>>>> msg = req.getHeader("Authorization");
>>>>
>>>> if (msg == null || msg.startsWith("NTLM ") == false) {
>>>> resp.reset();
>>>> resp.setContentLength(0);
>>>> resp.setHeader("WWW-Authenticate", "NTLM");
>>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>>>> resp.flushBuffer();
>>>> return;
>>>> }
>>>>
>>>> src = Base64.decode(msg.substring(5));
>>>>
>>>> if (src[8] == 1) {
>>>> String svr;
>>>> byte[] dst = new byte[40];
>>>>
>>>> ntlm = new NtlmHttpSession();
>>>> /* Message 1
>>>> */
>>>> ntlm.decodeType1Message(src);
>>>> ssn.setAttribute("ntlmworkgroup", ntlm.domain);
>>>>
>>>> /* If a "Domain Contoller" IP was not
>>> specified try and
>>>> lookup
>>>> * a real domain controller using
>>> jcifs.smb.client.domain
>>>> */
>>>> if ((svr = domainController) == null) {
>>>> svr = domain != null ? domain : ntlm.domain;
>>>> svr = NbtAddress.getByName(svr, 0x1c,
>>>> null).getHostAddress();
>>>> }
>>>>
>>>> ntlm.domainController = UniAddress.getByName(svr);
>>>> ntlm.challenge =
>>>> SmbSession.getChallenge(ntlm.domainController);
>>>>
>>>> /* Message 2
>>>> */
>>>> msg = Base64.encodeBytes(dst, 0,
>>>> ntlm.encodeType2Message(dst));
>>>>
>>>> /* Save NTLM session in HTTP session
>>>> */
>>>> ssn.setAttribute("NtlmHttpSession", ntlm);
>>>>
>>>> resp.reset();
>>>> resp.setContentLength(0);
>>>> resp.setHeader("WWW-Authenticate", "NTLM " + msg);
>>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>>>> resp.flushBuffer();
>>>> return;
>>>> } else
>>>> if (src[8] == 3) { /* Message 3
>>>> */
>>>>
>>>> ntlm.decodeType3Message(Base64.decode(msg.substring(5)));
>>>> } else {
>>>> throw new ServletException("NTLM HTTP
>>> Authentication
>>>> message invalid");
>>>> }
>>>>
>>>> SmbSession.logon(ntlm.domainController, ntlm.auth);
>>>>
>>>> ssn.setAttribute("ntlmdomain", ntlm.domain);
>>>> ssn.setAttribute("ntlmuser", ntlm.user);
>>>> ssn.setAttribute("ntlmhost", ntlm.host);
>>>>
>>>> if (debug) {
>>>> context.log(
>>>> "NTLM HTTP Autentication successfull: "
>>>> + ntlm.domain
>>>> + "\\"
>>>> + ntlm.user
>>>> + "@"
>>>> + ntlm.host);
>>>> }
>>>> out.print("ntdomain: " +
>>> ssn.getAttribute("ntlmdomain"));
>>>> } catch (Exception e) {
>>>> out.print("An Error has occured: " + e.getMessage());
>>>> }
>>>>
>>>> }
>>>>
>>>> public void doGet(
>>>> javax.servlet.http.HttpServletRequest request,
>>>> javax.servlet.http.HttpServletResponse response)
>>>> throws javax.servlet.ServletException, java.io.IOException {
>>>> doPost(request, response);
>>>> }
>>>>
>>>> }
>>>>
>>>> On 10/15/02 9:55 PM, "Allen, Michael B (RSCH)"
>>> <Michael_B_Allen at ml.com>
>>>> wrote:
>>>>
>>>>> The code is pretty simple. I don't think it would be hard
>>> to adapt it.
>>>>> Actually
>>>>> the current code is somewhat flawed and more complicated
>>> than it needs to
>>>>> be. The 0.7.0b4 package will be released RSN. Look at that.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Michael Piscatello
>>> [SMTP:mpiscatello at directvinternet.com]
>>>>>> Sent: Tuesday, October 15, 2002 9:53 PM
>>>>>> To: jcifs at lists.samba.org
>>>>>> Subject: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
>>>>>>
>>>>>> Help! I need the functionality of the NtlmHttpFilter but
>>> I am stuck with a
>>>>>> 2.2 Servlet spec app server (Websphere) Has anyone replicated the
>>>>>> functionality of the NtlmHttpFilter in a servlet?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>> **************************************************************************
>> The information transmitted herewith is sensitive information intended only
>> for use by the individual or entity to which it is addressed. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any review, retransmission, dissemination, distribution, copying or other
>> use of, or taking of any action in reliance upon this information is
>> strictly prohibited. If you have received this communication in error,
>> please contact the sender and delete the material from your computer.
>>
>> << File: NtlmServlet.java >>
>
>
More information about the jcifs
mailing list