[jcifs] NTLM HTTP Authentication with web form

Michael B Allen mba2000 at ioplex.com
Fri Jan 2 23:17:43 GMT 2004

> Hi,
> 	I want to use NTLM authenication in my project. After I added the
> NtlmHttpFilter, it will prompt me a username/password if I didn't login to
> the domain controller. Can I use my self-designed login page to do so
> instead of prompting a window login box?? Did anyone try to do it. If yes,
> please share your experience to me.
> 	Thanks a lot!!

You could but it would pass the username and password in plaintext which would be
a very very bad idea. If you really wanted to do it you could secure it with SSL
but you could not really use the filter entirely as NTLM nor Basic authentication
permits specifying a custom login screen. You would have to create a form that,
when submitted, constructed an NtlmPasswordAuthentication object and passed it to

If you only want your custom logon screen to appear in the event the Filter
failed, copy the NtlmHttpFilter.java to CustomNtlmHttpFilter.java, change the
class name, and change the catch clause after SmbSession.login like:

    try {
        SmbSession.logon( dc, ntlm );
    } catch( SmbAuthException sae ) {
        //resp.setHeader( "WWW-Authenticate", "NTLM" );
        //if (offerBasic) {
        //    resp.addHeader( "WWW-Authenticate", "Basic realm=\"" +
        //            realm + "\"");
        //resp.setHeader( "Connection", "close" );
        //resp.setStatus( HttpServletResponse.SC_UNAUTHORIZED );

        PrintWriter out = resp.getWriter();
        out.print( myLoginScreenThatCallsCustomSmbSessionLogonServlet );


Or something like that .....


A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.

More information about the jcifs mailing list