[jcifs] Tomcat NTLM

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Fri Sep 20 11:01:56 EST 2002

> -----Original Message-----
> From:	Pugsley, Jason [SMTP:Jason.Pugsley at team.telstra.com]
> Sent:	Thursday, September 19, 2002 8:03 PM
> To:	'Michael B. Allen'; Scott, James (JA)
> Cc:	jcifs at samba.org
> Subject:	RE: [jcifs] Tomcat NTLM
> Having authentication handled by the servlet container is in my opinion
> superior. Tomcat (and other servlet engines) can manage authentication,
> single sign-on and role management without your servlet ever needing to know
> about it. Servlet filters can also hide some of the complexity, but I don't
> think it is the most elegant solution.
> I had to create a modified version of catalina.jar so that Tomcat would
> recognise NTLM as an authentication method, along with BASIC, Digest etc.
> The code changes are trivial (with hindsight of course) and only involves 3
> files.
> I have some reservations with the current version of jcifs. My own
> experience as well as some of Michael's posts lead me to believe that there
> may be problems with cached logons/connections between jcifs and the domain
> controller.
	Just to clarify; the Filter and NetworkExplorer functions should work flawlessly by
	themselves. There are no caching issues. However when used together it simply
	does not work for reasons discussed several times on this list. To resolve this issue
	will require significant changes to the code so the interface may indeed change.
	The 0.7 series is still beta for largely this reason (and the SmbURL problem).

	Regarding the larger issue, I will not be maintaining patches to servlet containers.
	My objective will be to privide an open ended interface that permits such changes to
	be made effectively and easily and to provide a canned solution that Just Works (the

> Having said all that, it's still a beautiful thing to have working. The
> Apache people recently released a new stable version 4.1.10 of Tomcat and
> with the usual changes everything works. I don't claim to fully understand
> the inner workings of tomcat any more than I understand the insides of jcifs
> so the work I've done may well contain bugs. The last time I contacted the
> tomcat developers list, there wasn't a lot of interest shown. This may just
> be because none of them work in Windows based intranets.
> The work needed to "patch" tomcat can probably be applied to any servlet
> engine. I did Jetty and Resin just for fun :)  Having the owners of the
> servlet engines integrate the code would be far better, but I think we
> should wait until Michael is comfortable that the code works well and can
> "freeze" the interface before proposing that. Keep in mind that NTLM
> authentication is not part of the Servlet Specification. Of course that
> doesn't stop us petitioning the engine developers to include it :)
> Jason.
> -----Original Message-----
> From: Michael B. Allen [mailto:miallen at eskimo.com]
> Sent: Friday, 20 September 2002 4:56 AM
> To: Scott, James (JA)
> Cc: jcifs at samba.org
> Subject: Re: [jcifs] Tomcat NTLM
> You're waaaaaay out of date.
> That post was about Jason's original instructions. Did you know that we
> have since created a Filter to do NTLM Auth? Please look at the relevant
> news bullets on our homepage and read the latest NTLM document:
>   http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> On Thu, 19 Sep 2002 11:56:12 -0500
> "Scott, James (JA)" <JAScott3 at dow.com> wrote:
> > In response to:
> > http://lists.samba.org/pipermail/jcifs/2002-May/002185.html
> > ------
> > I have successfully gotten the NTLM authentication to work from within my
> > code .. Very Sweet! .. Thanks alot for having taken the time to write that
> > and share it.
> > 
> > I have a question regarding the above posting.  I am now trying to make
> > the default auth for my web app (I am using Tomcat) and I have not been
> > successful in getting it to work as such.  In that posting it was stated
> > that 
> > 	-----------
> > 	Copy the supplied  jcifs-0.6.3.jar to
> > 	$CATALINA_HOME/server/lib
> > 
> > 	Overwrite the existing  catalina.jar  in $CATALINA_HOME/server/lib
> > 	with the supplied one.
> > 	-----------
> > I am wondering, in order to make this work with Tomcat do I have to have
> > your version of the Catalina.jar ?.. was it altered in some way?
> > 
> > I altered my web.xml file to contain the login-config information as you
> > specified.  I also altered the tomcat-users.xml file to be setup as per
> your
> > instructions, however, my request.getRemoteUser() is still null.
> > 
> > Any help would be greatly appreciated.
> > 
> > Thanks,
> > Jim
> > 
> -- 
> A  program should be written to model the concepts of the task it
> performs rather than the physical world or a process because this
> maximizes  the  potential  for it to be applied to tasks that are
> conceptually  similar and more importantly to tasks that have not
> yet been conceived. 

More information about the jcifs mailing list