[jcifs] NTLM authentication performance
Eric
eglass1 at attbi.com
Sat May 17 22:56:57 EST 2003
Jason Bainbridge wrote:
> I'm guessing I am doing some dumbass thing as I am only realtively new to Java
> still but I can't for the life of me get the below to work:
>
> OS: Windows 2000 Pro,
> JDK: Sun 1.4.0
> Tomcat 4.1.24 with modjk2 running inprocess with Apache
>
> I compiled the attached servlet in the jcifs.http package as it was setup,
> deployed it to my webapp, removed the filter from web.xml and added the
> following instead:
>
> <servlet>
> <servlet-name>FrontPage</servlet-name>
> <jsp-file>/intranet/index.jsp</jsp-file>
> <init-param>
> <param-name>jcifs.http.domainController</param-name>
> <param-value>192.168.0.1</param-value>
> </init-param>
> </servlet>
> <servlet-mapping>
> <servlet-name>FrontPage</servlet-name>
> <url-pattern>/intranet/index.jsp</url-pattern>
> </servlet-mapping>
>
> and then I added <%@ page extends="jcifs.http.NtlmJspBase" %> to the top of
> index.jsp
>
> Am I missing a step here does FrontPAge actually have to physically exist? If
> so what does it need to do?
>
This is just how init-params are passed to jsp files; you create a
servlet entry (with any name, FrontPage is just an example), and instead
of specifying a servlet-class, you specify a jsp-file. You still need
to provide a servlet-mapping for FrontPage to explicitly map the
jsp-file; internally all *.jsp are mapped to a container-provided
servlet, which you need to override to properly receive the init-params.
> With my current config the page loads first timeall the way up to my
> getremoteuser call (that was working fine before with the filter) but
> subsequent requests result in HTTP Status 503 - No domain controller
> specified. errors in Tomcat. Any ideas? I'm sure I'm missing something
> obvious...
>
> The reason I don't want to use the filter is that I only need to retrieve the
> logged in user details to use within the web application's own security and if
> I use the filter than it has to be on all pages otherwise POST won't work.
>
You shouldn't ever have to use anything but the filter under a 2.3
container; I don't think there are any additional features provided by
the legacy stuff. Assuming your "entry page" to your web app is
index.jsp (and that's the only page you want the filter to affect), you
would do the following in web.xml
<filter>
<filter-name>ntlm</filter-name>
</filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>10.10.2.20</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ntlm</filter-name>
<url-pattern>/index.jsp</url-pattern>
</filter-mapping>
The filter should provide authentication for
http://somebox/someapp/index.jsp, and all other pages/servlets in
"someapp" would be unaffected.
However, none of these approaches addresses the item you are looking for
-- basically (if I understand you correctly) you just want to do NTLM
against the front page (one time), and then perform user identification
manually from then on, using your own system, with no NTLM involved.
The problem is that POSTs will fail (since they will be expecting the
server to re-negotiate NTLM before they send the data).
Unfortunately, I wasn't able to figure out a way around this. At first,
I tried sending a "Connection: close" header from the front page
(thinking that if I terminated the connection, IE would "forget" that
NTLM was negotiated). It still kept sending the Type 1 with an empty
POST, however. I also tried closing the connection and redirecting to
another page (thinking that the redirect might make it forget about
NTLM); this didn't work either. Apparently, once NTLM has been
negotiated to a server, there doesn't seem to be any way to stop this
behavior. This is probably a security "feature" (to prevent someone
from hijacking the connection and sniffing the POST data). You could
possibly redirect to another *server*, and then back again, but that is
just plain kludgy.
I'll keep looking at this -- this is interesting behavior, and deserves
some scrutiny. In the meantime, unfortunately, you will probably have
to use NTLM on all your POST pages.
Eric
More information about the jcifs
mailing list