[jcifs] NTLM authorisation

eglass1 at comcast.net eglass1 at comcast.net
Fri Mar 5 09:48:52 GMT 2004

> Users authenticated through the NTLM HTTP filter will be subject to the
> constraints of groups. But you cannot manipulate groups. You might be able
> to work out something with the jcifs-rap version.

The rap version of the filter has (fairly untested, experimental, etc.)
support for this.  It overrides the standard servlet request isUserInRole()
method to determine if the user is in the requested group, so you should
be able to do:

    boolean isMember = request.isUserInRole("myWindowsGroup");

NtlmPasswordAuthentication in the rap package also has a getGroups() method
which returns a string array containing the domain groups in which the
account has membership.

You'll have to set the "jcifs.smb.client.domain", "jcifs.smb.client.username",
and "jcifs.smb.client.password" properties to specify the credentials used to
lookup the group information.  This account will be used to connect to the
PDC and pull down the list of groups for the authenticated user (since this
is potentially a separate connection to a different server, the password is
needed to authenticate the independent connection).

> I don't know anything about roles in Windows. Didn't even know Windows had
> roles.

I think he's referring to roles as used in the servlet framework (the
logical equivalent of a windows group in our scenario).


More information about the jcifs mailing list