[jcifs] jcifs

[rezza]

Thanks Eric,
I have tried this code using jcifs 0.9.2 NTLM Filter by :
copying jcifs 0.9.2 jar file into web-inf/lib and insert the filter code 
into web.xml and execute this  :
<%

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");

out.print("done");

%>

The browser give me a domain/username/password prompt but it always appear 
again although my password is correct, I have to entry in the third prompt 
and it will be authenticated. How to capture that the password have been 
authenticated in the first prompt? 

-rezza-

On Thu, 24 Jun 2004 20:43:25 -0400, Eric <eglass1 at comcast.net> wrote :

> If you send a page status of 401 and request authentication, the browser 
> should pop up a window (since it will assume the previously established 
> credentials are no longer valid).  You would do this in a JSP/servlet 
> etc. like:
> 
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "NTLM");
> 
> Assuming you're using the NTLM filter, you can just stick this at the 
> top of the response (in a JSP page, between "<%" "%>" tags).  The 
> browser should give you a domain/username/password prompt.
> 
> The JSP snippet below is unnecessary; it basically does what the jCIFS 
> filter does for you, with the rather notable exception being it doesn't 
> actually authenticate the credentials provided.  The user can send any 
> username/password pair and the code below will simply extract the 
> username and accept it as valid.  The jCIFS filter authenticates against 
> a domain controller by making an SMB connection using the credentials 
> provided, which means the end user is actually who they say they are.
> 
> 
> Eric
> 
> 
> rezza wrote:
> > Eric, very big thanks for your info, 
> > 
> > Btw let's forget about the "Save this password in your password list" 
> > option.
> > 
> > Below, I have old jsp script on the net, 
> > actually i'm deep in webdesign and not really good in java,  
> > if we could do: request.getHeader("Authorization");
> > how to set the header "Authorization" with null value? (clear the 
session?) 
> > and I hope the login form will pop up suddenly??
> > 
> > rezza
> > 
> > 
> > <% 	
> > 	
> > 	String auth = request.getHeader("Authorization");
> > 	
> > 	if (auth == null)
> > 	{
> >   		response.setStatus(response.SC_UNAUTHORIZED);
> >   		response.setHeader("WWW-Authenticate", "NTLM");
> >   		response.flushBuffer();
> >   		return;
> > 	}
> > 	if (auth.startsWith("NTLM "))
> > 	{
> >   		byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer
> > (auth.substring(5));
> >   		int off = 0, length, offset;
> >   		if (msg[8] == 1)
> >   		{	// unauthorized
> >    			byte z = 0;
> >    			byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', 
> > (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, 
z, z,
> > (byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)
2, 
> > z, z, z, z, z, z, z, z, z, z, z, z};
> >    			response.setHeader("WWW-Authenticate", "NTLM " + 
> > new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
> >    			response.sendError(response.SC_UNAUTHORIZED);
> > 			return;
> >   		}
> >   		else if (msg[8] == 3)
> >   		{
> > 			
> >     		off = 30;
> >     		length = msg[off+17]*256 + msg[off+16];
> >     		offset = msg[off+19]*256 + msg[off+18];
> >     		String remoteHost = new String(msg, offset, length);
> > 			String input = remoteHost;
> > 			String output = "";
> > 			int i= 0;
> > 			while (i < (input.length()-(input.length()/2))) 
> > 			{
> > 				output = output + input.charAt(i*2);
> > 				i++;
> > 			}
> > 			remoteHost = output;
> > 			 
> >     		length = msg[off+1]*256 + msg[off];
> >     		offset = msg[off+3]*256 + msg[off+2];
> >     		String domain = new String(msg, offset, length);
> > 		
> > 			input = domain;
> > 			output = "";
> > 			i= 0;
> > 			while (i < (input.length()-(input.length()/2))) 
> > 			{
> > 				output = output + input.charAt(i*2);
> > 				i++;
> > 			}
> > 			domain = output;
> > 
> > 			
> >    			length = msg[off+9]*256 + msg[off+8];
> >    			offset = msg[off+11]*256 + msg[off+10];
> >    			String usernament = new String(msg, offset, length);
> >  			input = usernament;
> >  			output = "";
> >  			i= 0;
> > 			while (i < (input.length()-(input.length()/2))) {
> > 				output = output + input.charAt(i*2);
> > 				i++;
> > 			}
> > 			usernament = output;
> > 			out.print(domain+"/"+usernament);
> > 
> > 		}
> > 	}
> > 
> > 
> >  %>
> > 
> > On Wed, 23 Jun 2004 11:12:03 +0000, eglass1 at comcast.net wrote :
> > 
> > 
> >>For information on what determines whether the user will be prompted 
see:
> >>
> >>http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent
> >>
> >>You would probably be looking at this from the opposite perspective, as 
> > 
> > you
> > 
> >>*want* people to be prompted for login.  The easiest way would likely be
> >>to configure the end user's IE options, under security, "Prompt for 
> > 
> > Username
> > 
> >>and Password" (default is, I believe, "Automatic Logon only in Intranet 
> > 
> > zone").
> > 
> >>This would apply to all applications employing NTLM, however.
> >>
> >>You could also possibly do some funky things with DNS to do this on a
> >>per-application basis (to trick IE into thinking the application is 
> > 
> > outside the
> > 
> >>intranet).  You might be able to do this simply by accessing the site 
via
> >>IP address rather than hostname, or use the FQDN (depending on how
> >>your zones are set up).
> >>
> >>Another option would be to modify jCIFS to disable NTLM authentication
> >>altogether, then set "jcifs.http.enableBasic" to true.  This will do 
HTTP
> >>Basic authentication only, which will prompt you for credentials.  Note 
> > 
> > that
> > 
> >>this should only be used over HTTPS, as Basic is highly insecure.
> >>
> >>
> >>Eric
> >>
> >>
> >>
> >>>Hello Guys, 
> >>>I'm new user of JCIFS,
> >>>I have implement jcifs 0.9.2 for Single Sign On and it's works great ! 
> >>>By the way, I have a few questions,
> >>>Is there any way or any parameter setting to trigger the samba login 
> > 
> > form 
> > 
> >>>always pop up every time user access crucial web applications? even 
> > 
> > user 
> > 
> >>>have checked the "Save this password in your password list" option?
> >>>The purpose is to increase web applications security when any user 
> >>>forgotten to lock/log off his computer,
> >>>
> >>>thanks,
> >>>K. Rezza
> >>>
> >>>rezza at websystemarchitech.com
> >>>
> >>
> >>
> >>
> > 
> 
> 
> 
> 
>