[jcifs] Re: Windows group

Michael B Allen mba2000 at ioplex.com
Thu Nov 6 07:33:45 EST 2003 

Please send all messages to the jCIFS mailing list.

> Micheal,
>
> So sorry to bother you but I am in a bit of a bind.  I need to implement
> the
> functionality that allows a user to "transparently" be authenticated via a
> servlet.  Your jCIFS api works very well for this and worked like a charm
> for me.  But then my boss decided to throw another curve at me by
> requiring
> that users be in certain groups before they are granted access to one of
> our
> intranet cites.  From the documentation, it appears that this cannot be
> done
> via jCIFS.  It does seem possible to do this via JAAS but I would need to
> know the password to do it.  Is there any way to decifer the String
> representation of the client password from the password hashes?  I have
> went
> through the code but I admit that I get a bit lost when I try.

It is not directly possible to add what is basically an ACL
programmatically because we do not implement the RPCs necessary to extract
user and group information. I'm not sure how JAAS does it but it sounds
like a Windows only solution.

However, there is a work around. I have never used it personally but I
have heard of success from others. To authenticate HTTP users jCIFS just
performs a "tree connect" IPC$ on the domain controller. You could change
the jcifs.smb.SmbSession.logon method to connect to a different share (say
AUTH$). Then, on the jcifs.smb.client.domainController machine add a share
AUTH$ and edit it's access control to permit only the groups of interest.
If you do not have access to a real domain controller use the
jcifs.smb.client.domainController property to specify another machine.
This will be slightly slower as it will just forward it's requests to the
real domain controller so it is preferred that the alternate machine have
a fast connection to the domain controller. The technique is not as
elegant because you have to use a modified jCIFS, manage this "AUTH$"
share, and it is not possible to take advantage of the load balancing
inherent to using the jcifs.smb.client.domain property but it will give
you the desired behavior your looking for. For a small site of less than
~200 concurrent users it will probably work quite well actually.

Mike

--
A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.

More information about the jcifs mailing list