[jcifs] Alternative to jcifs.http.NtlmHttpFilter
Allen, Michael B (RSCH)
Michael_B_Allen at ml.com
Tue Oct 22 12:25:55 EST 2002
> -----Original Message-----
> From: Michael Piscatello [SMTP:mpiscatello at directvinternet.com]
> Sent: Monday, October 21, 2002 8:35 PM
> To: jcifs at lists.samba.org
> Subject: Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
>
> Mike,
>
> I created a servlet that uses Eric's Ntlmservlet with no problem. I did not
> get a chance to test it from a PC that was not already authenticated. From a
> PC that was already logged into the domain, the servlet checked everything
> against the DC just like it should. I wish I was more familiar with the
> jcifs API so I could have put something in my servlet that would print out
> the credentials that were verified. More testing tomorrow.
>
Unfortunately it does not look like the HttpServletRequestWrapper was introduced
until 2.3. I suppose I will have to put that info in the session. I'm preparing a 0.7.0b5
package and added Eric's servlet. Maybe you can give it a whirl tommarrow. I'm sure
you would rather use the stock implementation anyway.
> Mike
>
> On 10/21/02 3:41 AM, "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com>
> wrote:
>
> > Michael,
> >
> > Please let us know how this works for you in a pre-2.3 Servlet environment.
> >
> > Eric,
> >
> > Depending on Michael's experience and with your permission I would like to
> > insert the standard LGPL disclaimer and include this in the distro. Okay?
> >
> >> -----Original Message-----
> >> From: Glass, Eric [SMTP:eric.glass at capitalone.com]
> >> Sent: Thursday, October 17, 2002 5:00 AM
> >> To: jcifs at lists.samba.org
> >> Cc: 'melbaird at hotmail.com'; 'Allen, Michael B (RSCH)'; 'Michael
> Piscatello'
> >> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >>
> >> Attached is a servlet which uses the 0.7.0b4 NTLM stuff to do authentication
> >> -- this should work in pre-2.3 Servlet environments. It only overrides the
> >> "service" method, so if you are just implementing doGet, doPost, etc. it
> >> should be a drop in replacement for HttpServlet; i.e., you can just change:
> >>
> >> public class MyServlet extends HttpServlet
> >>
> >> to:
> >>
> >> public class MyServlet extends NtlmServlet
> >>
> >> and be up and going. You would set all the jcifs.* parameters (domain
> >> controller, etc.) via the servlet's initparameters (similar to the filter
> >> configuration in 2.3+ environments).
> >>
> >> See also the notes just posted to the list regarding 0.7.0b4. If you don't
> >> subscribe to the list the message in question is here:
> >> http://lists.samba.org/pipermail/jcifs/2002-October/002693.html
> >>
> >>> -----Original Message-----
> >>> From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
> >>> Sent: Thursday, October 17, 2002 1:27 AM
> >>> To: 'Michael Piscatello'; jcifs at lists.samba.org
> >>> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >>>
> >>>
> >>> I just noticed you said "pop-up". Do you mean the
> >>> authentication dialog? NTLM
> >>> SSP negotiates user password hashes on the fly. There's no
> >>> need for a dialog.
> >>>
> >>> Not sure why you would want the dialog to come up but just in
> >>> case, you can get it
> >>> to come up if send "401 Unauthorized / WWW-Authenticate:
> >>> NTLM" again *after you
> >>> have already negotiated password hashes once*. But you'll
> >>> have to read about how
> >>> NTLM HTTP Authentication actually works before you get that
> >>> far. Read the end of this:
> >>> http://jcifs.samba.org/src/docs/ntlmhttpauth.html for starters.
> >>>
> >>>> -----Original Message-----
> >>>> From: Michael Piscatello
> >>> [SMTP:mpiscatello at directvinternet.com]
> >>>> Sent: Wednesday, October 16, 2002 8:21 AM
> >>>> To: Allen, Michael B (RSCH); jcifs at lists.samba.org
> >>>> Subject: Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >>>>
> >>>> Mike,
> >>>>
> >>>> Thanks! RSN? I did try to adapt it, but it does not bring
> >>> up the NTLM
> >>>> challenge box. It returns, null and then after refreshing,
> >>> brings back the
> >>>> credentials, But I need the pop-up. Here is my code.
> >>>>
> >>>> Thanks,
> >>>>
> >>>>
> >>>> Mike
> >>>>
> >>>>
> >>>> import java.io.IOException;
> >>>> import java.io.PrintWriter;
> >>>>
> >>>> import javax.servlet.ServletContext;
> >>>> import javax.servlet.ServletException;
> >>>> import javax.servlet.http.HttpServlet;
> >>>> import javax.servlet.http.HttpServletRequest;
> >>>> import javax.servlet.http.HttpServletResponse;
> >>>> import javax.servlet.http.HttpSession;
> >>>> import jcifs.UniAddress;
> >>>> import jcifs.netbios.NbtAddress;
> >>>> import jcifs.smb.SmbSession;
> >>>> import jcifs.util.Base64;
> >>>> import jcifs.http.NtlmHttpSession;
> >>>>
> >>>> public class jcifstest extends HttpServlet {
> >>>>
> >>>> public void doPost(
> >>>> javax.servlet.http.HttpServletRequest request,
> >>>> javax.servlet.http.HttpServletResponse response)
> >>>> throws javax.servlet.ServletException, java.io.IOException {
> >>>>
> >>>> PrintWriter out = response.getWriter();
> >>>> ServletContext context = getServletContext();
> >>>> String domainController = "192.168.1.102";
> >>>> String domain = "HOMEDOM";
> >>>> boolean debug = true;
> >>>> HttpServletRequest req;
> >>>> HttpServletResponse resp;
> >>>> HttpSession ssn;
> >>>> NtlmHttpSession ntlm;
> >>>> String msg;
> >>>> byte[] src;
> >>>>
> >>>> try {
> >>>> req = (HttpServletRequest) request;
> >>>> resp = (HttpServletResponse) response;
> >>>>
> >>>> ssn = req.getSession(); /* Retrive the NTLM session
> >>>> */
> >>>> ntlm = (NtlmHttpSession)
> >>> ssn.getAttribute("NtlmHttpSession");
> >>>> msg = req.getHeader("Authorization");
> >>>>
> >>>> if (msg == null || msg.startsWith("NTLM ") == false) {
> >>>> resp.reset();
> >>>> resp.setContentLength(0);
> >>>> resp.setHeader("WWW-Authenticate", "NTLM");
> >>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> >>>> resp.flushBuffer();
> >>>> return;
> >>>> }
> >>>>
> >>>> src = Base64.decode(msg.substring(5));
> >>>>
> >>>> if (src[8] == 1) {
> >>>> String svr;
> >>>> byte[] dst = new byte[40];
> >>>>
> >>>> ntlm = new NtlmHttpSession();
> >>>> /* Message 1
> >>>> */
> >>>> ntlm.decodeType1Message(src);
> >>>> ssn.setAttribute("ntlmworkgroup", ntlm.domain);
> >>>>
> >>>> /* If a "Domain Contoller" IP was not
> >>> specified try and
> >>>> lookup
> >>>> * a real domain controller using
> >>> jcifs.smb.client.domain
> >>>> */
> >>>> if ((svr = domainController) == null) {
> >>>> svr = domain != null ? domain : ntlm.domain;
> >>>> svr = NbtAddress.getByName(svr, 0x1c,
> >>>> null).getHostAddress();
> >>>> }
> >>>>
> >>>> ntlm.domainController = UniAddress.getByName(svr);
> >>>> ntlm.challenge =
> >>>> SmbSession.getChallenge(ntlm.domainController);
> >>>>
> >>>> /* Message 2
> >>>> */
> >>>> msg = Base64.encodeBytes(dst, 0,
> >>>> ntlm.encodeType2Message(dst));
> >>>>
> >>>> /* Save NTLM session in HTTP session
> >>>> */
> >>>> ssn.setAttribute("NtlmHttpSession", ntlm);
> >>>>
> >>>> resp.reset();
> >>>> resp.setContentLength(0);
> >>>> resp.setHeader("WWW-Authenticate", "NTLM " + msg);
> >>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> >>>> resp.flushBuffer();
> >>>> return;
> >>>> } else
> >>>> if (src[8] == 3) { /* Message 3
> >>>> */
> >>>>
> >>>> ntlm.decodeType3Message(Base64.decode(msg.substring(5)));
> >>>> } else {
> >>>> throw new ServletException("NTLM HTTP
> >>> Authentication
> >>>> message invalid");
> >>>> }
> >>>>
> >>>> SmbSession.logon(ntlm.domainController, ntlm.auth);
> >>>>
> >>>> ssn.setAttribute("ntlmdomain", ntlm.domain);
> >>>> ssn.setAttribute("ntlmuser", ntlm.user);
> >>>> ssn.setAttribute("ntlmhost", ntlm.host);
> >>>>
> >>>> if (debug) {
> >>>> context.log(
> >>>> "NTLM HTTP Autentication successfull: "
> >>>> + ntlm.domain
> >>>> + "\\"
> >>>> + ntlm.user
> >>>> + "@"
> >>>> + ntlm.host);
> >>>> }
> >>>> out.print("ntdomain: " +
> >>> ssn.getAttribute("ntlmdomain"));
> >>>> } catch (Exception e) {
> >>>> out.print("An Error has occured: " + e.getMessage());
> >>>> }
> >>>>
> >>>> }
> >>>>
> >>>> public void doGet(
> >>>> javax.servlet.http.HttpServletRequest request,
> >>>> javax.servlet.http.HttpServletResponse response)
> >>>> throws javax.servlet.ServletException, java.io.IOException {
> >>>> doPost(request, response);
> >>>> }
> >>>>
> >>>> }
> >>>>
> >>>> On 10/15/02 9:55 PM, "Allen, Michael B (RSCH)"
> >>> <Michael_B_Allen at ml.com>
> >>>> wrote:
> >>>>
> >>>>> The code is pretty simple. I don't think it would be hard
> >>> to adapt it.
> >>>>> Actually
> >>>>> the current code is somewhat flawed and more complicated
> >>> than it needs to
> >>>>> be. The 0.7.0b4 package will be released RSN. Look at that.
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Michael Piscatello
> >>> [SMTP:mpiscatello at directvinternet.com]
> >>>>>> Sent: Tuesday, October 15, 2002 9:53 PM
> >>>>>> To: jcifs at lists.samba.org
> >>>>>> Subject: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >>>>>>
> >>>>>> Help! I need the functionality of the NtlmHttpFilter but
> >>> I am stuck with a
> >>>>>> 2.2 Servlet spec app server (Websphere) Has anyone replicated the
> >>>>>> functionality of the NtlmHttpFilter in a servlet?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> Mike
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >> **************************************************************************
> >> The information transmitted herewith is sensitive information intended only
> >> for use by the individual or entity to which it is addressed. If the reader
> >> of this message is not the intended recipient, you are hereby notified that
> >> any review, retransmission, dissemination, distribution, copying or other
> >> use of, or taking of any action in reliance upon this information is
> >> strictly prohibited. If you have received this communication in error,
> >> please contact the sender and delete the material from your computer.
> >>
> >> << File: NtlmServlet.java >>
> >
> >
>
More information about the jcifs
mailing list