[jcifs] Alternative to jcifs.http.NtlmHttpFilter

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Wed Oct 23 11:11:00 EST 2002


Ahh, I see, your clients are not members of an nt domain so you will get the dialog
without modification. Interesting. That's good.

> -----Original Message-----
> From:	Michael Piscatello [SMTP:mpiscatello at directvinternet.com]
> Sent:	Tuesday, October 22, 2002 9:00 PM
> To:	Allen, Michael B (RSCH); Eric Glass
> Cc:	jcifs at lists.samba.org
> Subject:	Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> 
> Mike,
> 
> Yes, the pop-up appears on Macs at least. No modification. I don't have a
> windows PC that does not not use microsoft networking. I will check the
> authentication as you suggest.
> 
> Mike
> 
> On 10/22/02 8:17 PM, "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com>
> wrote:
> 
> > The pop-up appeared? So you modified it to send the additional 401
> > Unauthorized
> > / WWW-Authenticate: NTLM? Make sure it's really authenticating OK by
> > retrieving
> > the NtlmPasswordAuthentication object like:
> > 
> > NtlmPasswordAuthentication ntlm =
> >   (NtlmPasswordAuthentication)req.getSession().getAttribute( "NtlmHttpAuth" );
> > 
> > That will also give you access to the username and domain.
> > 
> >> -----Original Message-----
> >> From:    Michael Piscatello [SMTP:mpiscatello at directvinternet.com]
> >> Sent:    Tuesday, October 22, 2002 8:01 PM
> >> To:    Eric Glass
> >> Cc:    jcifs at lists.samba.org
> >> Subject:    Re: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >> 
> >> Eric, Mike,
> >> 
> >> I tested the servlet against unauthenticated clients and the pop-up
> >> appeared, took the credentials, and authenticated the user! This testing was
> >> done in a WAS 4.0.2 environment with both PC and Mac clients using IE.
> >> 
> >> Mike
> >> 
> >> On 10/22/02 7:57 PM, "Eric Glass" <eglass1 at attbi.com> wrote:
> >> 
> >>> On Tue, 2002-10-22 at 19:17, Allen, Michael B (RSCH) wrote:
> >>>> 
> >>>> 
> >>>>> -----Original Message-----
> >>>>> From:    eglass1 at attbi.com [SMTP:eglass1 at attbi.com]
> >>>>> Sent:    Tuesday, October 22, 2002 3:30 AM
> >>>>> To:    Allen, Michael B (RSCH)
> >>>>> Cc:    'Michael Piscatello'; jcifs at lists.samba.org
> >>>>> Subject:    RE: [jcifs] Alternative to jcifs.http.NtlmHttpFilter
> >>>>> 
> >>>>> I thought about this as well -- one thing that might be
> >>>>> useful would be to include the HttpServletRequestWrapper
> >>>>> in the filter (to provide getPrincipal(), getRemoteUser
> >>>>> (), etc.),
> >>>>> 
> >>>> Not sure what you mean by this. Do you mean include the
> >>>> HttpServletRequestWrapper class with the jCIFS package?
> >>>> 
> >>> 
> >>> I just meant a wrapper subclass to provide the principal -- I see this
> >>> made it into 0.7.0b5 as "NtlmHttpServletRequest".
> >>> 
> >>>>>  but then set the "NtlmHttpFilter" session
> >>>>> flag to the principal name (i.e., 'DOMAIN\user') instead
> >>>>> of just the string "1".  That way, it provides a quick
> >>>>> and dirty means of obtaining that information under 2.2-.
> >>>>> 
> >>>> Actually I did change the attribute name to NtlmHttpAuth
> >>>> and I put the NtlmPasswordAuthentication object in the
> >>>> session instead of "1". I realize this was the sort of thing
> >>>> that got me in trouble the last time but take a look. I think
> >>>> you'll agree it should work just fine.
> >>> 
> >>> Yes, I think that most of the issues stemmed from having the negotiation
> >>> rely on the session; with the new stuff, the worst case (if the client
> >>> can't accept the session) is just that the authentication gets
> >>> renegotiated each time.  This shouldn't be an issue, since no state is
> >>> maintained during the authentication.
> >>> 
> >>>> retrive that. It now implements java.security.Principal so I
> >>>> need to put that in the session so I can pass it to the
> >>>> NtlmHttpServletRequest (a.k.a your NtlmRequest). Doing
> >>>> this avoids performing NTLM SSP with each and every
> >>>> request which is noticably slower and provides the
> >>>> getRemoteUser functionality at the same time.
> >>>> 
> >>> 
> >>> I liked your take on having NtlmPasswordAuthentication implement
> >>> Principal, by the way -- I thought that was clever.  I haven't had a
> >>> chance to do any real testing yet, but from what I've seen so far it
> >>> looks great.
> >>> 
> >>> Eric
> >>> 
> >>> 
> >> 
> > 
> > 
> 




More information about the jcifs mailing list