[jcifs] Why would auth work on one server and not on another?

Dave Mobley scprotz at hotmail.com
Fri Jul 11 01:35:04 EST 2003 

Here is a copy of my sevlet.  It is very simple (and the
jcifs.http.NtlmServlet grafted from 0.7.8 with the slight modifications to
make it jdk1.1 and jsdk2.0 compliant).  Also, I did rename my servlet and
strip out the cookie handling just to make it simpler.

//// Servlet /////
package com.ibm.lotus.http;

import javax.servlet.*;

import javax.servlet.http.*;

import java.io.*;

public class SampleNtlmServlet extends jcifs.http.NtlmServlet

{

private java.util.Hashtable cache = new java.util.Hashtable();


public void doGet( HttpServletRequest req,

HttpServletResponse resp ) throws IOException, ServletException {

PrintWriter out = resp.getWriter();

resp.setContentType( "text/html" );


String htmlpage =

"<html><head>"+

"</head><body>"+

"User = " + req.getSession(true).getValue("ntlmuser")+

"</body></html>";

out.println(htmlpage);

}

}

///// End Servlet /////


//// jcifs.http.NtlmServlet /////
/* jcifs smb client library in Java

* Copyright (C) 2002 "Michael B. Allen" <jcifs at samba dot org>

* "Eric Glass" <jcifs at samba dot org>

*

* This library is free software; you can redistribute it and/or

* modify it under the terms of the GNU Lesser General Public

* License as published by the Free Software Foundation; either

* version 2.1 of the License, or (at your option) any later version.

*

* This library is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* Lesser General Public License for more details.

*

* You should have received a copy of the GNU Lesser General Public

* License along with this library; if not, write to the Free Software

* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

*/

package jcifs.http;

import java.io.IOException;

import java.net.UnknownHostException;

import java.util.Enumeration;

import javax.servlet.ServletConfig;

import javax.servlet.ServletException;

//import javax.servlet.UnavailableException;

import javax.servlet.http.HttpSession;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import jcifs.Config;

import jcifs.UniAddress;

import jcifs.smb.NtlmPasswordAuthentication;

import jcifs.smb.SmbAuthException;

import jcifs.smb.SmbSession;

import jcifs.util.Base64;

/**

* This servlet may be used with pre-2.3 servlet containers

* to protect content with NTLM HTTP Authentication. Servlets that

* extend this abstract base class may be authenticatied against an SMB

* server or domain controller depending on how the

* <tt>jcifs.smb.client.domain</tt> or <tt>jcifs.http.domainController</tt>

* properties are be specified. <b>With later containers the

* <tt>NtlmHttpFilter</tt> should be used/b>. For custom NTLM HTTP
Authentication schemes the <tt>NtlmSsp</tt> may be used.

* <p>

* Read <a href="../../../ntlmhttpauth.html">jCIFS NTLM HTTP Authentication
and the Network Explorer Servlet</a> related information.

*/

public abstract class NtlmServlet extends HttpServlet {

private static final NtlmSsp AUTH = new NtlmSsp();

private UniAddress domainController;

private boolean enableBasic;

private boolean insecureBasic;

private String realm;

public void init(ServletConfig config) throws ServletException {

super.init(config);

/* Set jcifs properties we know we want; soTimeout and cachePolicy to 10min.

*/

Config.setProperty( "jcifs.smb.client.soTimeout", "300000" );

Config.setProperty( "jcifs.netbios.cachePolicy", "600" );

Enumeration e = config.getInitParameterNames();

String name;

while (e.hasMoreElements()) {

name = (String) e.nextElement();

if (name.startsWith("jcifs.")) {

Config.setProperty(name, config.getInitParameter(name));

}

}

String dc = Config.getProperty("jcifs.http.domainController");

if (dc == null && (dc = Config.getProperty( "jcifs.smb.client.domain" )) ==
null) {

throw new ServletException("No domain controller specified.");

}

try {

domainController = UniAddress.getByName(dc);

} catch (UnknownHostException ex) {

throw new ServletException("Specified DC unreachable.");

}

enableBasic = Boolean.valueOf(

Config.getProperty("jcifs.http.enableBasic")).booleanValue();

insecureBasic = Boolean.valueOf(

Config.getProperty("jcifs.http.insecureBasic")).booleanValue();

realm = Config.getProperty("jcifs.http.basicRealm");

if (realm == null) realm = "jCIFS";

}

protected void service(HttpServletRequest request,

HttpServletResponse response) throws ServletException, IOException {

boolean offerBasic = enableBasic &&

(insecureBasic );

//|| request.isSecure());

String msg = request.getHeader("Authorization");

if (msg != null && (msg.startsWith("NTLM ") ||

(offerBasic && msg.startsWith("Basic ")))) {

NtlmPasswordAuthentication ntlm;

if (msg.startsWith("NTLM ")) {

byte[] challenge = SmbSession.getChallenge(domainController);

ntlm = AUTH.doAuthentication(request, response, challenge);

if (ntlm == null) return;


} else {

String auth = new String(Base64.decode(msg.substring(6)),

"US-ASCII");

int index = auth.indexOf(':');

String user = (index != -1) ? auth.substring(0, index) : auth;

String password = (index != -1) ? auth.substring(index + 1) :

"";

index = user.indexOf('\\');

if (index == -1) index = user.indexOf('/');

String domain = (index != -1) ? user.substring(0, index) :

Config.getProperty("jcifs.smb.client.domain");

user = (index != -1) ? user.substring(index + 1) : user;

ntlm = new NtlmPasswordAuthentication(domain, user, password);

}

try {

SmbSession.logon(domainController, ntlm);

} catch (SmbAuthException sae) {

response.setHeader("WWW-Authenticate", "NTLM");

if (offerBasic) {

// modified by dave mobley //

// response.addHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");

response.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");

}

response.setHeader("Connection", "close");

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

// response.flushBuffer();

return;

}

HttpSession ssn = request.getSession(true);

ssn.putValue("NtlmHttpAuth", ntlm);

ssn.putValue( "ntlmdomain", ntlm.getDomain() );

ssn.putValue( "ntlmuser", ntlm.getUsername() );

} else if (request.getSession(true).getValue("NtlmHttpAuth") == null) {

response.setHeader("WWW-Authenticate", "NTLM");

if (offerBasic) {

response.setHeader("WWW-Authenticate", "Basic realm=\"" +

realm + "\"");

}

response.setHeader("Connection", "close");

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

// response.flushBuffer();

return;

}

super.service(request, response);

}

}


//// end jcifs.http.NtlmServlet /////

----- Original Message ----- 
From: <eglass1 at comcast.net>
To: "dave mobley" <scprotz at hotmail.com>
Cc: <Michael_B_Allen at ml.com>; <jcifs at lists.samba.org>
Sent: Thursday, July 10, 2003 6:37 AM
Subject: RE: [jcifs] Why would auth work on one server and not on another?


>
>
> > > >
> > > > 1: IE -> request a page from server
> > > > 2: Server -> tells IE it needs to Auth using NTLM
> > > > 3: IE -> says ok and sends back a blob
> > > > 4: Server -> gets glob, does some fancy footwork, tries to send back
> > >blob,
> > > > but stupid IE has hung up
> > > >
>
> The server is sending
>
> Connection: close
>
> with the Type-2 challenge.  This will cause NTLM negotiation to fail.
Doing a
> response.sendError (rather than response.setStatus) can cause this; there
may
> also be a flaw in either the specification or implementation of the older
> Servlet spec that you're using.  If you could post some of the relevant
code
> (anything dealing with the servlet response) I can take a look at it.
>
> A persistent connection is typically required by clients which implement
NTLM
> using the Windows SSPI library (including IE and Mozilla).  This is an
ease of
> implementation issue.  The client has to maintain a handle to an SSPI
security
> context between function calls; the easiest way to do this is just to keep
the
> connection open and pass tokens (i.e., the NTLM messages) back and forth.
If
> the connection is broken, the client loses track of the security context
it was
> in the process of establishing.
>
>
> Eric
>

More information about the jcifs mailing list