[jcifs] Re-authenticating and jCIFS

Michael B Allen mba2000 at ioplex.com
Mon Feb 2 06:09:00 GMT 2004

Persona Non Grata said:
> gain access to protected resource is via NTLM over
> HTTP.  The $64,000
> question is: if I stick jCIFS NTLM HTTP filter in
> front of the proxy
> (say it's a J2EE webapp), can I somehow reuse the
> result of the
> negotiation between the client and the proxy so as to
> have the proxy
> sign in with the client's credentials into the
> protected resource?

No. When jCIFS authenticates with a server (which is the domain controller
in the case of the NTLM HTTP filter) the first thing that happends is the
server returns a random "challenge". From that challenge the client
generates password hashes which when transmitted back to the server are
used for authentication. In other words, the password hashes are specific
to the target server. So you cannot authenticate against the domain
controller using the NTLM HTTP filter and then use whatever negotiated
credentials to then access an SMB file server on another host. You would
need to renegotiate the password hashes with the challenge for the file
server. If you don't care about re-negotiating every time you connect to
another server then that will work fine. The NetworkExplorer servlet and
Davenport use jCIFS for just that purpose.


More information about the jcifs mailing list