[jcifs] RFE's for NTLM HTTP Authentication

Frode E. Moe frode at coretrek.no
Mon Feb 17 23:21:00 EST 2003


On Mon, Feb 17, 2003 at 07:13:38AM -0500, Eric wrote:
> I'm guessing he is talking about authorization rather than 
> authentication (i.e. isUserInRole()).  Doing actual group-based 
> authorization against NT groups would require DCE/RPC (I believe). 
> There are basically 2 ways to handle this:
> 
> a) inside your application code, just maintain a list of "valid" users; 
> and manually check membership; i.e.:
> 
> if (!userlist.contains(request.getRemoteUser())) {
>     response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
>             "Bad user.");
>     return;
> }
> 
> b) if you want to get a bit more clever, you could subclass/alter 
> NtlmHttpServletRequest and override isUserInRole() to check role 
> membership for you.  Then your application code would be able to do:
> 
> if (!request.isUserInRole("admin")) {
>     response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
>         "Bad user.");
>     return;
> }
> 

If you get the valid username from NTLM and want to check group memberships,
if you're working against an Active Directory server, you could
always use LDAP (via JNDI) to query by 'sAMAccountName' and get the list of
groups back. I think the ldap attribute is called 'memberOf'. 

 - Frode


More information about the jcifs mailing list