[jcifs] NTLM HTTP Authentication in combination withTomcat user-roles...

[Pugsley, Jason]

Yes it's possible, and yes you have to modify/extend Tomcat. I've done it myself. While the solution isn't overly elegant it works perfectly for me.

The only issues come down to where you want to store your role-name/username mappings. You can put it in a database as I have, or an LDAP database/query as I know one other fellow has.

If you are using a version of Tomcat in the vicinity of 4.1.24 then I can probably help (It's the version I've most recently worked with). If it's much older it may be more difficult.

I actually run my setup in a jboss/tomcat combination even though tomcat alone would be fine, it's just that certain J2EE features regarding database access are easier for me in jboss. Besides, users/roles/security/databases in Tomcat is from J2EE anyway. I don't actually use any EJB's or other such features of jboss/J2EE.

Regards,

Jason.

-----Original Message-----
From: Eric [mailto:eglass1 at comcast.net]
Sent: Thursday, 14 August 2003 9:51 AM
To: daniel-other at yipyip.com
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM HTTP Authentication in combination withTomcat
user-roles...



> I wanted to investigate the possibility of using NTLM HTTP 
> authentication as a convenience since the app is currently being 
> accessed exclusively by IE clients.  I started googling and came up with 
> two answers, "j2se1.4.2 has NTLM built in" and "use jcifs".
> I was completely unable to find any relevant information about the new 
> NTLM features in 1.4.2.  The only concrete information I could find is 
> that the java plugin now supports it in some manner.

1.4.2 supports NTLM HTTP authentication from the *client* side (i.e., 
via HttpURLConnection) on Windows.

> I downloaded the jcifs package and followed the example on the website, 
> and I was able to replace my current security model with NTLM, but this 
> isn't exactly what I'm looking for.
>  
> My question is this:
>     Is it possible to use jcifs's NTLM HTTP Auth filter in combination 
> with Tomcat user roles?  Such that I can still have my multiple levels 
> of security based on the roles the user is set up on and restrict access 
> to those directories that they do not have?

Not without doing some Tomcat (or other container) specific development. 
  The authentication filter operates independent of the security 
configuration in web.xml (you might actually get weird behavior if you 
attempt to use both).

It shouldn't be too terribly difficult to write a Tomcat extension to do 
this;  most of the NTLM-specific code could probably be copied and 
pasted directly from the filter.

Eric