[jcifs] Alternative to jcifs.http.NtlmHttpFilter
eglass1 at attbi.com
eglass1 at attbi.com
Tue Oct 22 17:29:38 EST 2002
I thought about this as well -- one thing that might be
useful would be to include the HttpServletRequestWrapper
in the filter (to provide getPrincipal(), getRemoteUser
(), etc.), but then set the "NtlmHttpFilter" session
flag to the principal name (i.e., 'DOMAIN\user') instead
of just the string "1". That way, it provides a quick
and dirty means of obtaining that information under 2.2-.
Also, it might be clearer to use a more "generic"
attribute name ("NtlmUser" or something) since I used
the same attribute for the servlet; that way, if you use
both the servlet and the filter in a post-2.3
environment, the authentication can interoperate. On a
more pedantic note, the servlet spec recommends that
attribute names use the "jcifs.http..." convention for
naming (to avoid collisions).
Eric
>
>
> > -----Original Message-----
> > From: Michael Piscatello [SMTP:mpiscatello at directvinternet.com]
> > Sent: Monday, October 21, 2002 8:35 PM
> > To: jcifs at lists.samba.org
> > Subject: Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >
> > Mike,
> >
> > I created a servlet that uses Eric's Ntlmservlet with no problem. I did not
> > get a chance to test it from a PC that was not already authenticated. From a
> > PC that was already logged into the domain, the servlet checked everything
> > against the DC just like it should. I wish I was more familiar with the
> > jcifs API so I could have put something in my servlet that would print out
> > the credentials that were verified. More testing tomorrow.
> >
> Unfortunately it does not look like the HttpServletRequestWrapper was
> introduced
> until 2.3. I suppose I will have to put that info in the session. I'm
> preparing a 0.7.0b5
> package and added Eric's servlet. Maybe you can give it a whirl
> tommarrow. I'm sure
> you would rather use the stock implementation anyway.
>
> > Mike
> >
> > On 10/21/02 3:41 AM, "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com>
> > wrote:
> >
> > > Michael,
> > >
> > > Please let us know how this works for you in a pre-2.3 Servlet environment.
> > >
> > > Eric,
> > >
> > > Depending on Michael's experience and with your permission I would like to
> > > insert the standard LGPL disclaimer and include this in the distro. Okay?
> > >
> > >> -----Original Message-----
> > >> From: Glass, Eric [SMTP:eric.glass at capitalone.com]
> > >> Sent: Thursday, October 17, 2002 5:00 AM
> > >> To: jcifs at lists.samba.org
> > >> Cc: 'melbaird at hotmail.com'; 'Allen, Michael B (RSCH)'; 'Michael
> > Piscatello'
> > >> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> > >>
> > >> Attached is a servlet which uses the 0.7.0b4 NTLM stuff to do
> authentication
> > >> -- this should work in pre-2.3 Servlet environments. It only overrides the
> > >> "service" method, so if you are just implementing doGet, doPost, etc. it
> > >> should be a drop in replacement for HttpServlet; i.e., you can just
> change:
> > >>
> > >> public class MyServlet extends HttpServlet
> > >>
> > >> to:
> > >>
> > >> public class MyServlet extends NtlmServlet
> > >>
> > >> and be up and going. You would set all the jcifs.* parameters (domain
> > >> controller, etc.) via the servlet's initparameters (similar to the filter
> > >> configuration in 2.3+ environments).
> > >>
> > >> See also the notes just posted to the list regarding 0.7.0b4. If you don't
> > >> subscribe to the list the message in question is here:
> > >> http://lists.samba.org/pipermail/jcifs/2002-October/002693.html
> > >>
> > >>> -----Original Message-----
> > >>> From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
> > >>> Sent: Thursday, October 17, 2002 1:27 AM
> > >>> To: 'Michael Piscatello'; jcifs at lists.samba.org
> > >>> Subject: RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> > >>>
> > >>>
> > >>> I just noticed you said "pop-up". Do you mean the
> > >>> authentication dialog? NTLM
> > >>> SSP negotiates user password hashes on the fly. There's no
> > >>> need for a dialog.
> > >>>
> > >>> Not sure why you would want the dialog to come up but just in
> > >>> case, you can get it
> > >>> to come up if send "401 Unauthorized / WWW-Authenticate:
> > >>> NTLM" again *after you
> > >>> have already negotiated password hashes once*. But you'll
> > >>> have to read about how
> > >>> NTLM HTTP Authentication actually works before you get that
> > >>> far. Read the end of this:
> > >>> http://jcifs.samba.org/src/docs/ntlmhttpauth.html for starters.
> > >>>
> > >>>> -----Original Message-----
> > >>>> From: Michael Piscatello
> > >>> [SMTP:mpiscatello at directvinternet.com]
> > >>>> Sent: Wednesday, October 16, 2002 8:21 AM
> > >>>> To: Allen, Michael B (RSCH); jcifs at lists.samba.org
> > >>>> Subject: Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> > >>>>
> > >>>> Mike,
> > >>>>
> > >>>> Thanks! RSN? I did try to adapt it, but it does not bring
> > >>> up the NTLM
> > >>>> challenge box. It returns, null and then after refreshing,
> > >>> brings back the
> > >>>> credentials, But I need the pop-up. Here is my code.
> > >>>>
> > >>>> Thanks,
> > >>>>
> > >>>>
> > >>>> Mike
> > >>>>
> > >>>>
> > >>>> import java.io.IOException;
> > >>>> import java.io.PrintWriter;
> > >>>>
> > >>>> import javax.servlet.ServletContext;
> > >>>> import javax.servlet.ServletException;
> > >>>> import javax.servlet.http.HttpServlet;
> > >>>> import javax.servlet.http.HttpServletRequest;
> > >>>> import javax.servlet.http.HttpServletResponse;
> > >>>> import javax.servlet.http.HttpSession;
> > >>>> import jcifs.UniAddress;
> > >>>> import jcifs.netbios.NbtAddress;
> > >>>> import jcifs.smb.SmbSession;
> > >>>> import jcifs.util.Base64;
> > >>>> import jcifs.http.NtlmHttpSession;
> > >>>>
> > >>>> public class jcifstest extends HttpServlet {
> > >>>>
> > >>>> public void doPost(
> > >>>> javax.servlet.http.HttpServletRequest request,
> > >>>> javax.servlet.http.HttpServletResponse response)
> > >>>> throws javax.servlet.ServletException, java.io.IOException {
> > >>>>
> > >>>> PrintWriter out = response.getWriter();
> > >>>> ServletContext context = getServletContext();
> > >>>> String domainController = "192.168.1.102";
> > >>>> String domain = "HOMEDOM";
> > >>>> boolean debug = true;
> > >>>> HttpServletRequest req;
> > >>>> HttpServletResponse resp;
> > >>>> HttpSession ssn;
> > >>>> NtlmHttpSession ntlm;
> > >>>> String msg;
> > >>>> byte[] src;
> > >>>>
> > >>>> try {
> > >>>> req = (HttpServletRequest) request;
> > >>>> resp = (HttpServletResponse) response;
> > >>>>
> > >>>> ssn = req.getSession(); /* Retrive the NTLM session
> > >>>> */
> > >>>> ntlm = (NtlmHttpSession)
> > >>> ssn.getAttribute("NtlmHttpSession");
> > >>>> msg = req.getHeader("Authorization");
> > >>>>
> > >>>> if (msg == null || msg.startsWith("NTLM ") == false) {
> > >>>> resp.reset();
> > >>>> resp.setContentLength(0);
> > >>>> resp.setHeader("WWW-Authenticate", "NTLM");
> > >>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> > >>>> resp.flushBuffer();
> > >>>> return;
> > >>>> }
> > >>>>
> > >>>> src = Base64.decode(msg.substring(5));
> > >>>>
> > >>>> if (src[8] == 1) {
> > >>>> String svr;
> > >>>> byte[] dst = new byte[40];
> > >>>>
> > >>>> ntlm = new NtlmHttpSession();
> > >>>> /* Message 1
> > >>>> */
> > >>>> ntlm.decodeType1Message(src);
> > >>>> ssn.setAttribute("ntlmworkgroup", ntlm.domain);
> > >>>>
> > >>>> /* If a "Domain Contoller" IP was not
> > >>> specified try and
> > >>>> lookup
> > >>>> * a real domain controller using
> > >>> jcifs.smb.client.domain
> > >>>> */
> > >>>> if ((svr = domainController) == null) {
> > >>>> svr = domain != null ? domain : ntlm.domain;
> > >>>> svr = NbtAddress.getByName(svr, 0x1c,
> > >>>> null).getHostAddress();
> > >>>> }
> > >>>>
> > >>>> ntlm.domainController = UniAddress.getByName(svr);
> > >>>> ntlm.challenge =
> > >>>> SmbSession.getChallenge(ntlm.domainController);
> > >>>>
> > >>>> /* Message 2
> > >>>> */
> > >>>> msg = Base64.encodeBytes(dst, 0,
> > >>>> ntlm.encodeType2Message(dst));
> > >>>>
> > >>>> /* Save NTLM session in HTTP session
> > >>>> */
> > >>>> ssn.setAttribute("NtlmHttpSession", ntlm);
> > >>>>
> > >>>> resp.reset();
> > >>>> resp.setContentLength(0);
> > >>>> resp.setHeader("WWW-Authenticate", "NTLM " + msg);
> > >>>> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> > >>>> resp.flushBuffer();
> > >>>> return;
> > >>>> } else
> > >>>> if (src[8] == 3) { /* Message 3
> > >>>> */
> > >>>>
> > >>>> ntlm.decodeType3Message(Base64.decode(msg.substring(5)));
> > >>>> } else {
> > >>>> throw new ServletException("NTLM HTTP
> > >>> Authentication
> > >>>> message invalid");
> > >>>> }
> > >>>>
> > >>>> SmbSession.logon(ntlm.domainController, ntlm.auth);
> > >>>>
> > >>>> ssn.setAttribute("ntlmdomain", ntlm.domain);
> > >>>> ssn.setAttribute("ntlmuser", ntlm.user);
> > >>>> ssn.setAttribute("ntlmhost", ntlm.host);
> > >>>>
> > >>>> if (debug) {
> > >>>> context.log(
> > >>>> "NTLM HTTP Autentication successfull: "
> > >>>> + ntlm.domain
> > >>>> + "\\"
> > >>>> + ntlm.user
> > >>>> + "@"
> > >>>> + ntlm.host);
> > >>>> }
> > >>>> out.print("ntdomain: " +
> > >>> ssn.getAttribute("ntlmdomain"));
> > >>>> } catch (Exception e) {
> > >>>> out.print("An Error has occured: " + e.getMessage());
> > >>>> }
> > >>>>
> > >>>> }
> > >>>>
> > >>>> public void doGet(
> > >>>> javax.servlet.http.HttpServletRequest request,
> > >>>> javax.servlet.http.HttpServletResponse response)
> > >>>> throws javax.servlet.ServletException, java.io.IOException {
> > >>>> doPost(request, response);
> > >>>> }
> > >>>>
> > >>>> }
> > >>>>
> > >>>> On 10/15/02 9:55 PM, "Allen, Michael B (RSCH)"
> > >>> <Michael_B_Allen at ml.com>
> > >>>> wrote:
> > >>>>
> > >>>>> The code is pretty simple. I don't think it would be hard
> > >>> to adapt it.
> > >>>>> Actually
> > >>>>> the current code is somewhat flawed and more complicated
> > >>> than it needs to
> > >>>>> be. The 0.7.0b4 package will be released RSN. Look at that.
> > >>>>>
> > >>>>>> -----Original Message-----
> > >>>>>> From: Michael Piscatello
> > >>> [SMTP:mpiscatello at directvinternet.com]
> > >>>>>> Sent: Tuesday, October 15, 2002 9:53 PM
> > >>>>>> To: jcifs at lists.samba.org
> > >>>>>> Subject: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> > >>>>>>
> > >>>>>> Help! I need the functionality of the NtlmHttpFilter but
> > >>> I am stuck with a
> > >>>>>> 2.2 Servlet spec app server (Websphere) Has anyone replicated the
> > >>>>>> functionality of the NtlmHttpFilter in a servlet?
> > >>>>>>
> > >>>>>> Thanks
> > >>>>>>
> > >>>>>> Mike
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >> **************************************************************************
> > >> The information transmitted herewith is sensitive information intended only
> > >> for use by the individual or entity to which it is addressed. If the reader
> > >> of this message is not the intended recipient, you are hereby notified that
> > >> any review, retransmission, dissemination, distribution, copying or other
> > >> use of, or taking of any action in reliance upon this information is
> > >> strictly prohibited. If you have received this communication in error,
> > >> please contact the sender and delete the material from your computer.
> > >>
> > >> << File: NtlmServlet.java >>
> > >
> > >
> >
>
More information about the jcifs
mailing list