[jcifs] Implementing a weblogic identity asserter with jCifs and NTLM Http authentication

[DJP JEAN-PROST Dominique]

Hello,


I've just discovered jcifs and I have to say it's quite impressive.

Actually, I would like to implement a weblogic's identity asserter to fully
stick to bea's view of security in weblogic.

IdentityAsserter is aimed at saying who is the user related to a token. In
my case I would use NTLM Http authentication, because that is what I want to
give my users,

To implement this Asserter, I have to implement a method public
CallbackHandler assertIdentity(Object Token). In this method, I have to :
- check the token is valid in my context (using the challenge handshake
of NTLM Http authentication)
- return a CallbackHandler in which there would be the username of the
user I'm trying to authenticate.

Reading the NtlmHttpFilter, I understand I have to "use" this piece of code
:

//... getting the dc reference
byte[] challenge = SmbSession.getChallenge(dc);
ntlm = NtlmSsp.authenticate(req, resp, challenge);

The assertIdentity method of weblogic's class IdentityAsserter knows
nothing of the Http request nor of the Http response, so I can't use
NtlmSsp.authenticate(req, resp, challenge).

Then I read the content of the method authenticate to find I could use the
piece of code :
byte[] src = Base64.decode(msg.substring(5));
if (src[8] == 1) {
Type1Message type1 = new Type1Message(src);
Type2Message type2 = new Type2Message(type1, challenge, null);
msg = Base64.encode(type2.toByteArray());
resp.setHeader( "WWW-Authenticate", "NTLM " + msg );
} else if (src[8] == 3) {
Type3Message type3 = new Type3Message(src);
byte[] lmResponse = type3.getLMResponse();
if (lmResponse == null) lmResponse = new byte[0];
byte[] ntResponse = type3.getNTResponse();
if (ntResponse == null) ntResponse = new byte[0];
return new NtlmPasswordAuthentication(type3.getDomain(),
type3.getUser(), lmResponse, ntResponse);
}

My questions :
- Am I right ?
- What if I don't use this line in the previous code : resp.setHeader(
"WWW-Authenticate", "NTLM " + msg );
- Do I need to use SmbSession.logon(dc, ntlm); as the aim of identity
asserter is only to say who is the user corresponding to the NTLM token ?
(underlying question : is the previous code sufficient to check the user
against the nt domain ?)


Dom




_________________________________________________________________________________________________________
Ce message (et toutes les pièces jointes) sont confidentiels ; son contenu ne représente en aucun cas un engagement de la part de DEXIA SOFAXIS. Toute publication, utilisation ou diffusion, même partielle, doit être autorisée préalablement par l'émetteur. 

Si vous n'êtes pas destinataire de ce message, merci d'en avertir immédiatement l'expéditeur.

Conformément aux dispositions de la loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, vous pouvez obtenir communication et, le cas échéant, rectification ou suppression des informations vous concernant en vous adressant à DEXIA SOFAXIS - Route de Creton - 18110 VASSELAY


_________________________________________________________________________________________________________
Consultez notre site internet http://www.sofaxis.com