[jcifs] re-authentication / password
Christopher R. Hertel
crh at ubiqx.mn.org
Wed Aug 4 17:39:58 GMT 2004
On Wed, Aug 04, 2004 at 12:15:12PM -0500, karla.smith at vectorsgi.com wrote:
> Newbie question:
> Is it possible to extract the password after authenticating a user using
> NTLM HTTP authentication ?
> We will authenticate the user using the servlet filter. Then we need to
> re-authenticate the user when going through web services. To do so, we need
> the username, password and domain. The username is available in the request
> object but the password is not (probably for obvious reasons). Is it
> possible to obtain this information ?
The authentication process is based on the challenge/response model. The
password itself is never sent over the wire during authentication. The
idea is that the Domain Controller (or password server) knows the
password, and the client knows the password, so if they both encrypt the
same piece of random data using the password then the results should
The goal (to prevent password-grabbing man-in-the-middle attacks) is to
hide the password from anyone else listening on the wire, including the
server (in this case, the web server).
So, no... I'm 'fraid that the password won't be availale.
Hope that helps.
More info: http://ubiqx.org/cifs/SMB.html#SMB.8.3
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the jcifs