[jcifs] NTLM HTTP Filter Authenticates All Users Regardless of JCIFSACL Permissions

John Fletcher jfletcher at latitudegeo.com
Tue Oct 26 23:19:26 GMT 2004 

jCIFS version: 1.1.0
OS: Windows XP Pro SP1
Servlet Container: Tomcat 5.0.28
JDK: 1.4.2_05
 
I have set up the NtlmHttpFilter on Tomcat to filter all requests on a local context.  The relevant information from the web.xml is as follows:

<filter>      
      <filter-name>NtlmHttpFilter</filter-name>
      <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

      <init-param>
          <param-name>jcifs.http.domainController</param-name>
          <param-value>192.168.60.106</param-value>
      </init-param>
      <init-param>
          <param-name>jcifs.smb.client.logonShare</param-name>
          <param-value>JCIFSACL</param-value>
      </init-param>
</filter>

<filter-mapping>
      <filter-name>NtlmHttpFilter</filter-name>
      <url-pattern>/*</url-pattern>
</filter-mapping>

JCIFSACL is a share on 192.168.60.106 (my local machine).  The network share properties allow access to only one local user (let's call that user postgres :) ).

The problem is that all valid users (local users and domain users) are authenticated, not just postgres.  The filter will appropriately deny access using Firefox if the postgres username / password credentials are entered incorrectly, so it seems to be working on that level.  However, I can enter the username / password for any valid local user, and that user will be allowed through even though that user does not have access to browse to the JCIFSACL share (confirmed with Windows Explorer).  Even more strange is that any valid domain user is allowed through as well, in both IE (no prompt) and Firefox (prompt).

I have tried accessing the protected context from localhost as well as from a different computer on the network, with the same results.  I have also disabled the local Guest account.

I'm sorry if the answer is painfully obvious.  I've done lots of research on the site and the message archives, honest!

Any help is appreciated.  For those who might find the logs relevant, I'm including some of them (from a run where debug was set to "99") at the end here.  This is from the "postgres" user successful login which should have been denied.

Thanks for any help.

John

******** LOG FILE SNIP ********

session established ok with 0.0.0.0<00>/192.168.60.106
requesting negotiation with 0.0.0.0<00>/192.168.60.106
SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=The operation completed successfully.,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=5803,uid=0,mid=1,wordCount=0,byteCount=12,wordCount=0,dialects=NT LM 0.12]
00000: 00 00 00 2F FF 53 4D 42 72 00 00 00 00 18 03 C0  |.../ÿSMBr......À|
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AB 16  |..............«.|
00020: 00 00 01 00 00 0C 00 02 4E 54 20 4C 4D 20 30     |........NT LM 0 |

new data read from socket: 0.0.0.0<00>/192.168.60.106
byteCount=46 but readBytesWireFormat returned 30
SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=true,errorCode=The operation completed successfully.,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=5803,uid=0,mid=1,wordCount=17,byteCount=46,wordCount=17,dialectIndex=0,securityMode=0x3,security=user,encryptedPasswords=true,maxMpxCount=10,maxNumberVcs=1,maxBufferSize=4356,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0000E3FD,serverTime=Tue Oct 26 16:14:44 PDT 2004,serverTimeZone=420,encryptionKeyLength=8,byteCount=46,encryptionKey=0xB44C171B1FD14EE0,oemDomainName=LATITUDEGEO]
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  |ÿSMBr......À....|
00010: 00 00 00 00 00 00 00 00 00 00 AB 16 00 00 01 00  |..........«.....|
00020: 11 00 00 03 0A 00 01 00 04 11 00 00 00 00 01 00  |................|
00030: 00 00 00 00 FD E3 00 00 CF 7E 04 94 B1 BB C4 01  |....ýã..Ï~..±»Ä.|
00040: A4 01 08 2E 00 B4 4C 17 1B 1F D1 4E E0 4C 00 41  |¤....´L...ÑNàL.A|
00050: 00 54 00 49 00 54 00 55 00 44 00 45 00 47 00 45  |.T.I.T.U.D.E.G.E|
00060: 00 4F 00 00 00 50 00 45 00 45 00 57 00 45 00 45  |.O...P.E.E.W.E.E|
00070: 00 00 00                                         |...             |

treeConnect: unc=\\192.168.60.106\JCIFSACL,service=?????
sessionSetup: accountName=postgres,primaryDomain=
SmbComSessionSetupAndX[command=SMB_COM_SESSION_SETUP_ANDX,received=false,errorCode=The operation completed successfully.,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=5803,uid=0,mid=2,wordCount=13,byteCount=103,andxCommand=0x75,andxOffset=164,snd_buf_size=4356,maxMpxCount=10,VC_NUMBER=1,sessionKey=0,passwordLength=24,unicodePasswordLength=24,capabilities=84,accountName=POSTGRES,primaryDomain=,NATIVE_OS=Windows XP,NATIVE_LANMAN=jCIFS]
SmbComTreeConnectAndX[command=SMB_COM_TREE_CONNECT_ANDX,received=false,errorCode=The operation completed successfully.,flags=0x0018,flags2=0x0000,signSeq=0,tid=0,pid=5803,uid=0,mid=0,wordCount=4,byteCount=59,andxCommand=0xFF,andxOffset=0,disconnectTid=false,passwordLength=1,password=,path=\\192.168.60.106\JCIFSACL,service=?????]
00000: 00 00 00 EA FF 53 4D 42 73 00 00 00 00 18 03 C0  |...êÿSMBs......À|
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AB 16  |..............«.|
00020: 00 00 02 00 0D 75 00 A4 00 04 11 0A 00 01 00 00  |.....u.¤........|
00030: 00 00 00 18 00 18 00 00 00 00 00 54 00 00 00 67  |...........T...g|
00040: 00 40 84 B6 3E F0 38 12 64 F7 03 2B FF 9E 23 8C  |. at .¶>ð8.d÷.+ÿ.#.|
00050: 6E 42 71 0E 90 C5 44 E7 D1 DB 99 BA 1F 64 5A 0A  |nBq..ÅDçÑÛ.º.dZ.|
00060: 9A 06 E8 3F 13 6B A5 3F EE 61 7C 8D 7D BE 94 8E  |..è?.k¥?îa|.}¾..|
00070: 7B 00 50 00 4F 00 53 00 54 00 47 00 52 00 45 00  |{.P.O.S.T.G.R.E.|
00080: 53 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00  |S.....W.i.n.d.o.|
00090: 77 00 73 00 20 00 58 00 50 00 00 00 6A 00 43 00  |w.s. .X.P...j.C.|
000A0: 49 00 46 00 53 00 00 00 04 FF 00 00 00 00 00 01  |I.F.S....ÿ......|
000B0: 00 3B 00 00 5C 00 5C 00 31 00 39 00 32 00 2E 00  |.;..\.\.1.9.2...|
000C0: 31 00 36 00 38 00 2E 00 36 00 30 00 2E 00 31 00  |1.6.8...6.0...1.|
000D0: 30 00 36 00 5C 00 4A 00 43 00 49 00 46 00 53 00  |0.6.\.J.C.I.F.S.|
000E0: 41 00 43 00 4C 00 00 00 3F 3F                    |A.C.L...??      |

new data read from socket: 0.0.0.0<00>/192.168.60.106
SmbComSessionSetupAndXResponse[command=SMB_COM_SESSION_SETUP_ANDX,received=true,errorCode=The operation completed successfully.,flags=0x0098,flags2=0xC003,signSeq=0,tid=2048,pid=5803,uid=2048,mid=2,wordCount=3,byteCount=98,andxCommand=0x75,andxOffset=139,isLoggedInAsGuest=false,nativeOs=Windows 5.1,nativeLanMan=Windows 2000 LAN Manager,primaryDomain=LATITUDEGEO]
SmbComTreeConnectAndXResponse[command=SMB_COM_TREE_CONNECT_ANDX,received=true,errorCode=The operation completed successfully.,flags=0x0098,flags2=0xC003,signSeq=0,tid=2048,pid=5803,uid=2048,mid=2,wordCount=3,byteCount=14,andxCommand=0xFF,andxOffset=162,supportSearchBits=true,shareIsInDfs=false,service=A:,nativeFileSystem=NTFS]
00000: FF 53 4D 42 73 00 00 00 00 98 03 C0 00 00 00 00  |ÿSMBs......À....|
00010: 00 00 00 00 00 00 00 00 00 08 AB 16 00 08 02 00  |..........«.....|
00020: 03 75 00 8B 00 00 00 62 00 1C 57 00 69 00 6E 00  |.u.....b..W.i.n.|
00030: 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 31 00  |d.o.w.s. .5...1.|
00040: 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00  |..W.i.n.d.o.w.s.|
00050: 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 00  | .2.0.0.0. .L.A.|
00060: 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00  |N. .M.a.n.a.g.e.|
00070: 72 00 00 00 4C 00 41 00 54 00 49 00 54 00 55 00  |r...L.A.T.I.T.U.|
00080: 44 00 45 00 47 00 45 00 4F 00 00 03 FF 00 A2 00  |D.E.G.E.O...ÿ.¢.|
00090: 0D 00 0E 00 41 3A 00 00 4E 00 54 00 46 00 53 00  |....A:..N.T.F.S.|
000A0: 00 00                                            |..              |

More information about the jcifs mailing list