[jcifs] RFE's for NTLM HTTP Authentication
Eric
eglass1 at attbi.com
Mon Feb 17 23:13:38 EST 2003
>>Also useful would be an interface which gives the application the
>>possibility
>>to reject the credentials and to demand others even if they are valid for
>>the DC.
>>For example they maybe not valid for the application.
>>
>
> This is very application specific behavior that I don't quite understand and sould
> be done by writing your own Filter with the NtlmSsp class.
>
I'm guessing he is talking about authorization rather than
authentication (i.e. isUserInRole()). Doing actual group-based
authorization against NT groups would require DCE/RPC (I believe).
There are basically 2 ways to handle this:
a) inside your application code, just maintain a list of "valid" users;
and manually check membership; i.e.:
if (!userlist.contains(request.getRemoteUser())) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Bad user.");
return;
}
b) if you want to get a bit more clever, you could subclass/alter
NtlmHttpServletRequest and override isUserInRole() to check role
membership for you. Then your application code would be able to do:
if (!request.isUserInRole("admin")) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Bad user.");
return;
}
this would require a bit more work though; you would have to change
NtlmHttpFilter (or create a new filter) to use your request class
instead of the NtlmHttpServletRequest class.
>
>>2. RFE
>>sometimes NTLM HTTP Authentication is failing or is suppressed for some
>>reason.
>>(for example some proxys are disrupting NTLM HTTP Authentication)
>>this would leave a blank page in the IE window, because the jCIFS
>>WWW-Authenticate
>>response sends an empty body.
>>Better would be an possibility/interface/responsebuffer for the application
>>to provide
>>a html body and/or additional response headers which could deal with such an
>>incident.
>>(For example a timed redirect to a fallback url or webpage which gives the
>>user a hint)
>>
>
> The bodies aren't empty but they are sent in a different packet. It's not clear to
> me why this should be a real problem because they just contain error message
> junk. I don't recall exactly why the body is in a separate packet. I believe it was
> necessary to keep the connection open during the 3 message dialog. This NTLM
> over HTTP thing is non standard so maintaining state accross the negotiate
> presented some problems. To pursue this further we would need to see a packet
> trace of the errant dialog.
>
I think he's talking about providing a custom error body; so instead of
just doing:
resp.setHeader("WWW-Authenticate", "NTLM");
resp.setHeader("Connection", "close");
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.flushBuffer();
return;
he wants to do:
resp.setHeader("WWW-Authenticate", "NTLM");
resp.setHeader("Connection", "close");
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.setContentType("text/html");
resp.getWriter().println("<html><body>No access, pal.</body></html>");
resp.flushBuffer();
return;
This is possible (and is often done to provide "pretty" access denied
messages). I'm not sure how it would affect NTLM authentication,
though; as Mike indicates, NTLM is strange in that it has fairly
stringent connection requirements. Testing would have to be done.
Eric
>
>>Hope this is also useful for others.
>>
>>
>> Charly
>>
>>
>>appended class NtlmServlet
>>
>
> What is this supposed to show us?
>
>
>
More information about the jcifs
mailing list