[jcifs] jcifs
eglass1 at comcast.net
eglass1 at comcast.net
Fri Jun 25 17:03:49 GMT 2004
Yes, you're right; this is kind of a funky process flow. Try putting this in
"logout.jsp" (also change the Refresh line to reflect the proper front page):
<%
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = cookies.length - 1; i >= 0; i--) {
if ("logout".equals(cookies[i].getName())) {
// user is back
if ("1".equals(cookies[i].getValue())) {
// first visit back, needs to happen
// again to prompt.
try {
session.invalidate();
} catch (IllegalStateException ignore) { }
cookies[i].setValue("2");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
} else {
// remove the cookie
cookies[i].setMaxAge(0);
// send them to the front page.
response.setHeader("Refresh", "0; URL=index.jsp");
}
response.addCookie(cookies[i]);
return;
}
}
}
try {
// remove the user's session
session.invalidate();
} catch (IllegalStateException ignore) { }
// flag logout
response.addCookie(new Cookie("logout", "1"));
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
%>
This clears the session, and notifies the browser that authentication is
required. It also sets a cookie "logout" to 1. The first time, the browser
will silently attempt to reauthenticate with the current credentials. This
sees the logout=1 cookie, reclears the (brand new) session, and sets
logout=2. This time, the browser will prompt for new credentials (since
the current ones are now known to be bad). The page sees logout=2,
removes the logout cookie, and redirects the client to the front page
of the application.
Note that this still doesn't prevent the user from simply hitting "cancel" at
the login prompt and manually going back to the application front page
(where they will be silently authenticated right back in). You would have
to jump through some fairly strange hoops to do that. Effectively, you're
accepting only every other login attempt (failing the first, and accepting the
second, etc.). This is a fairly odd use case for a single sign-on environment
(as the whole idea is typically a single sign-on, without manual reentry of
credentials).
Eric
> Thanks Eric,
> I have tried this code using jcifs 0.9.2 NTLM Filter by :
> copying jcifs 0.9.2 jar file into web-inf/lib and insert the filter code
> into web.xml and execute this :
> <%
>
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "NTLM");
>
> out.print("done");
>
> %>
>
> The browser give me a domain/username/password prompt but it always appear
> again although my password is correct, I have to entry in the third prompt
> and it will be authenticated. How to capture that the password have been
> authenticated in the first prompt?
>
> -rezza-
>
> On Thu, 24 Jun 2004 20:43:25 -0400, Eric <eglass1 at comcast.net> wrote :
>
> > If you send a page status of 401 and request authentication, the browser
> > should pop up a window (since it will assume the previously established
> > credentials are no longer valid). You would do this in a JSP/servlet
> > etc. like:
> >
> > response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> > response.setHeader("WWW-Authenticate", "NTLM");
> >
> > Assuming you're using the NTLM filter, you can just stick this at the
> > top of the response (in a JSP page, between "<%" "%>" tags). The
> > browser should give you a domain/username/password prompt.
> >
> > The JSP snippet below is unnecessary; it basically does what the jCIFS
> > filter does for you, with the rather notable exception being it doesn't
> > actually authenticate the credentials provided. The user can send any
> > username/password pair and the code below will simply extract the
> > username and accept it as valid. The jCIFS filter authenticates against
> > a domain controller by making an SMB connection using the credentials
> > provided, which means the end user is actually who they say they are.
> >
> >
> > Eric
> >
> >
> > rezza wrote:
> > > Eric, very big thanks for your info,
> > >
> > > Btw let's forget about the "Save this password in your password list"
> > > option.
> > >
> > > Below, I have old jsp script on the net,
> > > actually i'm deep in webdesign and not really good in java,
> > > if we could do: request.getHeader("Authorization");
> > > how to set the header "Authorization" with null value? (clear the
> session?)
> > > and I hope the login form will pop up suddenly??
> > >
> > > rezza
> > >
> > >
> > > <%
> > >
> > > String auth = request.getHeader("Authorization");
> > >
> > > if (auth == null)
> > > {
> > > response.setStatus(response.SC_UNAUTHORIZED);
> > > response.setHeader("WWW-Authenticate", "NTLM");
> > > response.flushBuffer();
> > > return;
> > > }
> > > if (auth.startsWith("NTLM "))
> > > {
> > > byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer
> > > (auth.substring(5));
> > > int off = 0, length, offset;
> > > if (msg[8] == 1)
> > > { // unauthorized
> > > byte z = 0;
> > > byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
> > > (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z,
> z, z,
> > > (byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)
> 2,
> > > z, z, z, z, z, z, z, z, z, z, z, z};
> > > response.setHeader("WWW-Authenticate", "NTLM " +
> > > new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
> > > response.sendError(response.SC_UNAUTHORIZED);
> > > return;
> > > }
> > > else if (msg[8] == 3)
> > > {
> > >
> > > off = 30;
> > > length = msg[off+17]*256 + msg[off+16];
> > > offset = msg[off+19]*256 + msg[off+18];
> > > String remoteHost = new String(msg, offset, length);
> > > String input = remoteHost;
> > > String output = "";
> > > int i= 0;
> > > while (i < (input.length()-(input.length()/2)))
> > > {
> > > output = output + input.charAt(i*2);
> > > i++;
> > > }
> > > remoteHost = output;
> > >
> > > length = msg[off+1]*256 + msg[off];
> > > offset = msg[off+3]*256 + msg[off+2];
> > > String domain = new String(msg, offset, length);
> > >
> > > input = domain;
> > > output = "";
> > > i= 0;
> > > while (i < (input.length()-(input.length()/2)))
> > > {
> > > output = output + input.charAt(i*2);
> > > i++;
> > > }
> > > domain = output;
> > >
> > >
> > > length = msg[off+9]*256 + msg[off+8];
> > > offset = msg[off+11]*256 + msg[off+10];
> > > String usernament = new String(msg, offset, length);
> > > input = usernament;
> > > output = "";
> > > i= 0;
> > > while (i < (input.length()-(input.length()/2))) {
> > > output = output + input.charAt(i*2);
> > > i++;
> > > }
> > > usernament = output;
> > > out.print(domain+"/"+usernament);
> > >
> > > }
> > > }
> > >
> > >
> > > %>
> > >
> > > On Wed, 23 Jun 2004 11:12:03 +0000, eglass1 at comcast.net wrote :
> > >
> > >
> > >>For information on what determines whether the user will be prompted
> see:
> > >>
> > >>http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent
> > >>
> > >>You would probably be looking at this from the opposite perspective, as
> > >
> > > you
> > >
> > >>*want* people to be prompted for login. The easiest way would likely be
> > >>to configure the end user's IE options, under security, "Prompt for
> > >
> > > Username
> > >
> > >>and Password" (default is, I believe, "Automatic Logon only in Intranet
> > >
> > > zone").
> > >
> > >>This would apply to all applications employing NTLM, however.
> > >>
> > >>You could also possibly do some funky things with DNS to do this on a
> > >>per-application basis (to trick IE into thinking the application is
> > >
> > > outside the
> > >
> > >>intranet). You might be able to do this simply by accessing the site
> via
> > >>IP address rather than hostname, or use the FQDN (depending on how
> > >>your zones are set up).
> > >>
> > >>Another option would be to modify jCIFS to disable NTLM authentication
> > >>altogether, then set "jcifs.http.enableBasic" to true. This will do
> HTTP
> > >>Basic authentication only, which will prompt you for credentials. Note
> > >
> > > that
> > >
> > >>this should only be used over HTTPS, as Basic is highly insecure.
> > >>
> > >>
> > >>Eric
> > >>
> > >>
> > >>
> > >>>Hello Guys,
> > >>>I'm new user of JCIFS,
> > >>>I have implement jcifs 0.9.2 for Single Sign On and it's works great !
> > >>>By the way, I have a few questions,
> > >>>Is there any way or any parameter setting to trigger the samba login
> > >
> > > form
> > >
> > >>>always pop up every time user access crucial web applications? even
> > >
> > > user
> > >
> > >>>have checked the "Save this password in your password list" option?
> > >>>The purpose is to increase web applications security when any user
> > >>>forgotten to lock/log off his computer,
> > >>>
> > >>>thanks,
> > >>>K. Rezza
> > >>>
> > >>>rezza at websystemarchitech.com
> > >>>
> > >>
> > >>
> > >>
> > >
> >
> >
> >
> >
> >
More information about the jcifs
mailing list