[jcifs] JCIFS and Locked NT Accounts

Michael B Allen mba2000 at ioplex.com
Thu Oct 14 21:19:28 GMT 2004

Mark Lassiter said:
> We have implemented a JAAS login module for JBoss using JCIFS to
> authenticate the user with their NT account.  It works great and we're
> very
> happy.
> The only problem we've encountered is that it does not appear to fail when
> the NT account is locked out (due to too many failed attempts).
> Does JCIFS respect the NT lockouts or would we have to implement something
> ourselves?  Or could it be that our domain controller simply wasn't
> updated?

If a user successfully authenticates, the credentials are stored in the
http session as the attribtue "NtlmHttpAuth". As long as that attribute is
there, the filter will not authenticate the client again. The user will
effectively have access until there session expires.

The only way to make account lockouts take effect immediately is to
comment out the setAttribute call to force the filter to reauthenticate
the client with each request but that will affect performance

You could add some kind of expiration to this caching and remove the
attibute after that configurable amount of time. Or perhaps you can reduce
the HTTP session expiration to achive the same effect.


More information about the jcifs mailing list