[jcifs] NTLM HTTP Authentication in combination with Tomcat user-roles...

daniel-jcifs at yipyip.com daniel-jcifs at yipyip.com
Thu Aug 14 08:15:57 EST 2003 

I have an intranet web application I've written that has several different
security levels depending on directory.  At the bottom of this e-mail is a
rundown of the structure.
 
I wanted to investigate the possibility of using NTLM HTTP authentication as
a convenience since the app is currently being accessed exclusively by IE
clients.  I started googling and came up with two answers, "j2se1.4.2 has
NTLM built in" and "use jcifs".
I was completely unable to find any relevant information about the new NTLM
features in 1.4.2.  The only concrete information I could find is that the
java plugin now supports it in some manner.
I downloaded the jcifs package and followed the example on the website, and
I was able to replace my current security model with NTLM, but this isn't
exactly what I'm looking for.
 
My question is this:
    Is it possible to use jcifs's NTLM HTTP Auth filter in combination with
Tomcat user roles?  Such that I can still have my multiple levels of
security based on the roles the user is set up on and restrict access to
those directories that they do not have?
If someone feels this is possible, could you give me some pointers or even
just point me at a URL or the right terms to google on?
 
I greatly appreciate it.
 
Daniel
 
---------- Configuration junk below -------------
 
A brief rundown of the structure is as follows:
 
/myapp/
    dirA/
        jsp pages
    dirB/
        jsp pages
    dirC/
        jsp pages
    WEB-INF/
        classes/
            package/
                java servlets
 
I have the following security setup currently running:
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>myapp</web-resource-name>
   <url-pattern>/dirA/*</url-pattern>
   <url-pattern>/dirB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>roleAB</role-name>
  </auth-constraint>
 </security-constraint>
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>myapp - C</web-resource-name>
   <url-pattern>/dirC/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>roleC</role-name>
  </auth-constraint>
 </security-constraint>
 <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name></realm-name>
 </login-config>

and in my tomcat-users.xml file, I have:
  <role rolename="roleAB"/>
  <role rolename="roleC"/>
  <role rolename="roleABextended"/>
  <user username="user1" password="" roles="roleAB,roleABextended,roleC"/>
  <user username="user2" password="" roles="roleAB,roleABextended"/>
  <user username="user3" password="" roles="roleC"/>
  <user username="guest" password="" roles="roleAB"/>

 
The roleABextended is used to provide some extended information to certain
users in the A and B directories.  The jsp page calls
request.isUserInRole("roleABextended") for this.
 
 
 
 
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list