[jcifs] Alternating Users

[Michael B Allen]

On Fri, 8 Apr 2005 18:46:38 -0300
Anderson Miranda <anderson.smiranda at gmail.com> wrote:

> Hello,
> 
> I'm using jCIFS v1.1.4 with Tomcat5, running an Webapp "X" that does
> transparent authentication of users through the web browser (IE).
> Everything works great, and I'm pleased to say so!
> 
> How it works? An arbitrary user logs on his windows on his workstation
> over his company, opens the browser, access my webapp
> "http://server/webapp" and then he is "automatically" authenticated
> through the NTLM filter. When the same webapp is accessed outside the
> domain (with an user NOT authenticated over the domain), an dialog box
> appears for the user to enter his domain credentials... PERFECT!
> 
> Now the sad portion: I need to put a link/button/form/page, anything
> that could help me to alternate the current logged user. Something
> that could "logoff" the current user from my webapp, destroy the
> session, and log a new user, without having to actually "logoff the
> user from the windows"... Does anyone knows how could I do that?...
> Could someone gimme a light about this??

Unfortunately this isn't very easy to do (if it can be done at all). The
problem is that once IE negotiates credentials, it remembers them until
you restart the browser. Also, there's no way to interact with the NTLM
HTTP Authentication process using some kind of form programming.

We get this type of question occasionally and I believe the prevailing
answer is to use 'Basic' authentication w/ SSL. Of course that is not
transparent to the user though. With a good understanding of the NTLM
HTTP Authentication protocol [1] you might figure out a way to use a
combination of NTLM and Basic authentication and customize the filter
to trick IE into renegotiating credentials on demand.

Mike

[1] http://jcifs.samba.org/src/docs/ntlmhttpauth.html#proto

-- 
IRC - where men are men, women are men, and the boys are FBI agents.