[jcifs] NTLM Auth, custom login page

Scovetta, Michael V Michael.Scovetta at ca.com
Wed Oct 20 16:35:29 GMT 2004 

Two choices:
#1. Have the browser send a different user-agent:
For IE:
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
	\5.0\User Agent

	Create three new string values called "Compatible", "Version" and 	"Platform". Set them to equal what you would like to be displayed 	instead of "compatible", "MSIE 5.5" and "Windows NT 5.0" respectively 	in the example above.
For Firefox:
	Go to the URL: about:config
	Create a new setting called: general.useragent.override
	Type in whatever user-agent string you want.

I'm sure that other browsers have similar capabilities.

#2. Modify the request inbound to the app server.

For Apache, for instance, you should be able to intercept the request before it goes to mod_jk, rewrite the user-agent, and pass it along. You could also hack up jcifs to allow an "override-user-agent" config setting.

If requests went through a proxy server, you could rewrite the user-agent strings there too, but that might prove more difficult.

Hope that helps--

Mike Scovetta


-----Original Message-----
From: Laurent Michenaud [mailto:lmichenaud at adeuza.fr] 
Sent: Wednesday, October 20, 2004 12:24 PM
To: Scovetta, Michael V
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM Auth, custom login page

I think that Oracle SSO uses the user-agent.

With IE, automatic authentification activated => i am logged and we can 
see a 401 status code in the Apache log
With IE, automatic authentification desactivated => i've got the login 
dialog box of the browser and we can see a 401 status code in the Apache log
With Firefox => i am redirected to the sso login page and there is no 
401 status code in the Apache log

Is there any way to "crack" the user-agent property in the browser so 
that, for example, the sso server believes it is IE instead of firefox ?

Scovetta, Michael V a écrit :

>I think the problem is that browsers do not announce the fact that they do silent vs. non-silent authentication. That's an application-level event-- there's simply nothing to pass to the client to have them do it, and from the server's point of view, when the auth comes back, it looks identical whether it comes from IE or firefox.
>
>I may be wrong, of course-- someone please correct me if I am...
>
>Thanks--
>M
>
>-----Original Message-----
>From: Laurent Michenaud [mailto:lmichenaud at adeuza.fr] 
>Sent: Wednesday, October 20, 2004 10:49 AM
>To: Scovetta, Michael V
>Cc: jcifs at lists.samba.org
>Subject: Re: [jcifs] NTLM Auth, custom login page
>
>I think it is not the clean way.
>
>In the NTLM process, at which step u know that the browser doesnot 
>support silent login ?
>
>The best from my point of view would be to have in the jcifs properties 
>something like :
>jcifs.redirect.login.url = http://mywebapp/login.jsp
>
>This page would be called when browser silent login fails.
>The login page may submit the login/password value to a jcifs servlet 
>that will do NTLM authentification.
>
>It is a kind of feature request ;)
>
>Scovetta, Michael V a écrit :
>
>  
>
>>Laurent,
>>
>>If you either add a filter before jcifs or modify the jcifs filter, you
>>can make a choice depending on the user-agent passed in the headers.
>>It's not fool-proof, but you should be able to get pretty accurate. A
>>list of user-agents is here:
>>	http://www.zytrax.com/tech/web/browser_ids.htm
>>
>>Mike
>>
>>-----Original Message-----
>>From: jcifs-bounces+michael.scovetta=ca.com at lists.samba.org
>>[mailto:jcifs-bounces+michael.scovetta=ca.com at lists.samba.org] On Behalf
>>Of Laurent Michenaud
>>Sent: Wednesday, October 20, 2004 7:52 AM
>>To: jcifs at lists.samba.org
>>Subject: [jcifs] NTLM Auth, custom login page
>>
>>Hi,
>>
>>I've tested the NTLM auth example and it works great with IE.
>>The user is automatically identified.
>>I have tested with Firefox and i've got the traditionnal login/password 
>>dialog
>>box.
>>
>>What i would like is, if the browser ( like firefox ) doesnot support 
>>"silent login" like
>>IE, to redirect to a custom login page so that the user can
>>authentified.
>>
>>Is it possible to configure that with jcifs ?
>>
>>Thanks
>>
>>
>>
>> 
>>
>>    
>>
>
>
>
>
>  
>

More information about the jcifs mailing list