[jcifs] NTLM authenticating in Java

eglass1 at attbi.com eglass1 at attbi.com
Tue Apr 8 20:24:58 EST 2003 

> Hello,
> 
> It seems that the next version of Java, currently in beta release, is adding 
> some support for NTLM - albeit on Windows platforms only. From what I've been 
> able to find, this may be intended for clients (applets) on Windows boxes trying 
> to get out through Microsoft proxy servers and they need to use NTLM 
> authentication. It would appear to fill a need along the lines of the Apache 
> Commons HttpClient code.
> 

Yes, it seems to be similar to the HttpClient stuff.  I'd be interested to see
how they implemented this; since this is Windows-only they are probably taking
a similar approach to the Mozilla patch (using the native Win32 APIs).  However,
the documentation indicates the Windows restriction is due to licensing, which
could imply that they did it in pure Java.

> It might be worth watching in case it develops into something interesting. There 
> may eventually be APIs that jCIFS could adhere to.
> 

Since it appears to be just the client side, it probably doesn't have a huge
impact on jCIFS.  Although for the sake of people implementing HTTP NTLM
clients (such as HttpClient), it might be helpful to make the getPreNTLMResponse
and getNTLMResponse methods of NtlmPasswordAuthentication public.  If someone
wanted to make a client using jCIFS, this would enable them to create the
LanManager and NTLM responses for the Type-2 message.

Incidentally, writing a COMPLETE and correct NTLM client (capable of connecting
successfully to all servers) is highly non-trivial.  HttpClient currently
operates in "Win9x mode", in that it sends only the LanManager response.  Win2K
boxes send the NTLM response as well; this doesn't even get into negotiating
NTLMv2, let alone Kerberos via the "Negotiate" auth method.  A very interesting
article discussing all the various mutations can be found here:

    http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7072

In the overwhelming majority of scenarios, however, the simple LanManager-only
response will work just fine.

> 
> I read this list often but rarely write in - I'd just like to say to the
> developers thanks for all of your effort, it's very much appreciated.
> 
> 

Thanks to you as well -- if I remember correctly, you got the whole
NTLM-using-jCIFS thing going in the first place.

Eric

More information about the jcifs mailing list