[jcifs] jcifs
Eric
eglass1 at comcast.net
Fri Jun 25 00:43:25 GMT 2004
If you send a page status of 401 and request authentication, the browser
should pop up a window (since it will assume the previously established
credentials are no longer valid). You would do this in a JSP/servlet
etc. like:
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
Assuming you're using the NTLM filter, you can just stick this at the
top of the response (in a JSP page, between "<%" "%>" tags). The
browser should give you a domain/username/password prompt.
The JSP snippet below is unnecessary; it basically does what the jCIFS
filter does for you, with the rather notable exception being it doesn't
actually authenticate the credentials provided. The user can send any
username/password pair and the code below will simply extract the
username and accept it as valid. The jCIFS filter authenticates against
a domain controller by making an SMB connection using the credentials
provided, which means the end user is actually who they say they are.
Eric
rezza wrote:
> Eric, very big thanks for your info,
>
> Btw let's forget about the "Save this password in your password list"
> option.
>
> Below, I have old jsp script on the net,
> actually i'm deep in webdesign and not really good in java,
> if we could do: request.getHeader("Authorization");
> how to set the header "Authorization" with null value? (clear the session?)
> and I hope the login form will pop up suddenly??
>
> rezza
>
>
> <%
>
> String auth = request.getHeader("Authorization");
>
> if (auth == null)
> {
> response.setStatus(response.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "NTLM");
> response.flushBuffer();
> return;
> }
> if (auth.startsWith("NTLM "))
> {
> byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer
> (auth.substring(5));
> int off = 0, length, offset;
> if (msg[8] == 1)
> { // unauthorized
> byte z = 0;
> byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
> (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,
> (byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2,
> z, z, z, z, z, z, z, z, z, z, z, z};
> response.setHeader("WWW-Authenticate", "NTLM " +
> new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
> response.sendError(response.SC_UNAUTHORIZED);
> return;
> }
> else if (msg[8] == 3)
> {
>
> off = 30;
> length = msg[off+17]*256 + msg[off+16];
> offset = msg[off+19]*256 + msg[off+18];
> String remoteHost = new String(msg, offset, length);
> String input = remoteHost;
> String output = "";
> int i= 0;
> while (i < (input.length()-(input.length()/2)))
> {
> output = output + input.charAt(i*2);
> i++;
> }
> remoteHost = output;
>
> length = msg[off+1]*256 + msg[off];
> offset = msg[off+3]*256 + msg[off+2];
> String domain = new String(msg, offset, length);
>
> input = domain;
> output = "";
> i= 0;
> while (i < (input.length()-(input.length()/2)))
> {
> output = output + input.charAt(i*2);
> i++;
> }
> domain = output;
>
>
> length = msg[off+9]*256 + msg[off+8];
> offset = msg[off+11]*256 + msg[off+10];
> String usernament = new String(msg, offset, length);
> input = usernament;
> output = "";
> i= 0;
> while (i < (input.length()-(input.length()/2))) {
> output = output + input.charAt(i*2);
> i++;
> }
> usernament = output;
> out.print(domain+"/"+usernament);
>
> }
> }
>
>
> %>
>
> On Wed, 23 Jun 2004 11:12:03 +0000, eglass1 at comcast.net wrote :
>
>
>>For information on what determines whether the user will be prompted see:
>>
>>http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent
>>
>>You would probably be looking at this from the opposite perspective, as
>
> you
>
>>*want* people to be prompted for login. The easiest way would likely be
>>to configure the end user's IE options, under security, "Prompt for
>
> Username
>
>>and Password" (default is, I believe, "Automatic Logon only in Intranet
>
> zone").
>
>>This would apply to all applications employing NTLM, however.
>>
>>You could also possibly do some funky things with DNS to do this on a
>>per-application basis (to trick IE into thinking the application is
>
> outside the
>
>>intranet). You might be able to do this simply by accessing the site via
>>IP address rather than hostname, or use the FQDN (depending on how
>>your zones are set up).
>>
>>Another option would be to modify jCIFS to disable NTLM authentication
>>altogether, then set "jcifs.http.enableBasic" to true. This will do HTTP
>>Basic authentication only, which will prompt you for credentials. Note
>
> that
>
>>this should only be used over HTTPS, as Basic is highly insecure.
>>
>>
>>Eric
>>
>>
>>
>>>Hello Guys,
>>>I'm new user of JCIFS,
>>>I have implement jcifs 0.9.2 for Single Sign On and it's works great !
>>>By the way, I have a few questions,
>>>Is there any way or any parameter setting to trigger the samba login
>
> form
>
>>>always pop up every time user access crucial web applications? even
>
> user
>
>>>have checked the "Save this password in your password list" option?
>>>The purpose is to increase web applications security when any user
>>>forgotten to lock/log off his computer,
>>>
>>>thanks,
>>>K. Rezza
>>>
>>>rezza at websystemarchitech.com
>>>
>>
>>
>>
>
More information about the jcifs
mailing list