[jcifs] re-authentication / password

Christopher R. Hertel crh at ubiqx.mn.org
Wed Aug 4 17:39:58 GMT 2004


On Wed, Aug 04, 2004 at 12:15:12PM -0500, karla.smith at vectorsgi.com wrote:
> Newbie question:
> 
>  
> 
> Is it possible to extract the password after authenticating a user using
> NTLM HTTP authentication ?
> 
>  
> 
> We will authenticate the user using the servlet filter.  Then we need to
> re-authenticate the user when going through web services.  To do so, we need
> the username, password and domain.  The username is available in the request
> object but the password is not (probably for obvious reasons).  Is it
> possible to obtain this information ?  

The authentication process is based on the challenge/response model.  The 
password itself is never sent over the wire during authentication.  The 
idea is that the Domain Controller (or password server) knows the 
password, and the client knows the password, so if they both encrypt the 
same piece of random data using the password then the results should 
match.

The goal (to prevent password-grabbing man-in-the-middle attacks) is to 
hide the password from anyone else listening on the wire, including the 
server (in this case, the web server).

So, no...  I'm 'fraid that the password won't be availale.

Hope that helps.

Chris -)-----
More info:  http://ubiqx.org/cifs/SMB.html#SMB.8.3

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org


More information about the jcifs mailing list