[jcifs] jcifs

[Eric]

If you send a page status of 401 and request authentication, the browser 
should pop up a window (since it will assume the previously established 
credentials are no longer valid).  You would do this in a JSP/servlet 
etc. like:

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");

Assuming you're using the NTLM filter, you can just stick this at the 
top of the response (in a JSP page, between "<%" "%>" tags).  The 
browser should give you a domain/username/password prompt.

The JSP snippet below is unnecessary; it basically does what the jCIFS 
filter does for you, with the rather notable exception being it doesn't 
actually authenticate the credentials provided.  The user can send any 
username/password pair and the code below will simply extract the 
username and accept it as valid.  The jCIFS filter authenticates against 
a domain controller by making an SMB connection using the credentials 
provided, which means the end user is actually who they say they are.


Eric


rezza wrote:
> Eric, very big thanks for your info, 
> 
> Btw let's forget about the "Save this password in your password list" 
> option.
> 
> Below, I have old jsp script on the net, 
> actually i'm deep in webdesign and not really good in java,  
> if we could do: request.getHeader("Authorization");
> how to set the header "Authorization" with null value? (clear the session?) 
> and I hope the login form will pop up suddenly??
> 
> rezza
> 
> 
> <% 	
> 	
> 	String auth = request.getHeader("Authorization");
> 	
> 	if (auth == null)
> 	{
>   		response.setStatus(response.SC_UNAUTHORIZED);
>   		response.setHeader("WWW-Authenticate", "NTLM");
>   		response.flushBuffer();
>   		return;
> 	}
> 	if (auth.startsWith("NTLM "))
> 	{
>   		byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer
> (auth.substring(5));
>   		int off = 0, length, offset;
>   		if (msg[8] == 1)
>   		{	// unauthorized
>    			byte z = 0;
>    			byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', 
> (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,
> (byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2, 
> z, z, z, z, z, z, z, z, z, z, z, z};
>    			response.setHeader("WWW-Authenticate", "NTLM " + 
> new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
>    			response.sendError(response.SC_UNAUTHORIZED);
> 			return;
>   		}
>   		else if (msg[8] == 3)
>   		{
> 			
>     		off = 30;
>     		length = msg[off+17]*256 + msg[off+16];
>     		offset = msg[off+19]*256 + msg[off+18];
>     		String remoteHost = new String(msg, offset, length);
> 			String input = remoteHost;
> 			String output = "";
> 			int i= 0;
> 			while (i < (input.length()-(input.length()/2))) 
> 			{
> 				output = output + input.charAt(i*2);
> 				i++;
> 			}
> 			remoteHost = output;
> 			 
>     		length = msg[off+1]*256 + msg[off];
>     		offset = msg[off+3]*256 + msg[off+2];
>     		String domain = new String(msg, offset, length);
> 		
> 			input = domain;
> 			output = "";
> 			i= 0;
> 			while (i < (input.length()-(input.length()/2))) 
> 			{
> 				output = output + input.charAt(i*2);
> 				i++;
> 			}
> 			domain = output;
> 
> 			
>    			length = msg[off+9]*256 + msg[off+8];
>    			offset = msg[off+11]*256 + msg[off+10];
>    			String usernament = new String(msg, offset, length);
>  			input = usernament;
>  			output = "";
>  			i= 0;
> 			while (i < (input.length()-(input.length()/2))) {
> 				output = output + input.charAt(i*2);
> 				i++;
> 			}
> 			usernament = output;
> 			out.print(domain+"/"+usernament);
> 
> 		}
> 	}
> 
> 
>  %>
> 
> On Wed, 23 Jun 2004 11:12:03 +0000, eglass1 at comcast.net wrote :
> 
> 
>>For information on what determines whether the user will be prompted see:
>>
>>http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent
>>
>>You would probably be looking at this from the opposite perspective, as 
> 
> you
> 
>>*want* people to be prompted for login.  The easiest way would likely be
>>to configure the end user's IE options, under security, "Prompt for 
> 
> Username
> 
>>and Password" (default is, I believe, "Automatic Logon only in Intranet 
> 
> zone").
> 
>>This would apply to all applications employing NTLM, however.
>>
>>You could also possibly do some funky things with DNS to do this on a
>>per-application basis (to trick IE into thinking the application is 
> 
> outside the
> 
>>intranet).  You might be able to do this simply by accessing the site via
>>IP address rather than hostname, or use the FQDN (depending on how
>>your zones are set up).
>>
>>Another option would be to modify jCIFS to disable NTLM authentication
>>altogether, then set "jcifs.http.enableBasic" to true.  This will do HTTP
>>Basic authentication only, which will prompt you for credentials.  Note 
> 
> that
> 
>>this should only be used over HTTPS, as Basic is highly insecure.
>>
>>
>>Eric
>>
>>
>>
>>>Hello Guys, 
>>>I'm new user of JCIFS,
>>>I have implement jcifs 0.9.2 for Single Sign On and it's works great ! 
>>>By the way, I have a few questions,
>>>Is there any way or any parameter setting to trigger the samba login 
> 
> form 
> 
>>>always pop up every time user access crucial web applications? even 
> 
> user 
> 
>>>have checked the "Save this password in your password list" option?
>>>The purpose is to increase web applications security when any user 
>>>forgotten to lock/log off his computer,
>>>
>>>thanks,
>>>K. Rezza
>>>
>>>rezza at websystemarchitech.com
>>>
>>
>>
>>
>