[jcifs] Multiple LogonShares

[Michael B Allen]

On Tue, 12 Apr 2005 23:18:54 -0400
Pete Arvanitis <pete at petecode.com> wrote:

> 1. Are there any plans on making LOGON_SHARE non-static in a future 
> release? Is it even possible to make it non-static (and will we be able 
> to associate an SmbSession with a particular filter instance?)

The 2.0 branch is going to change how properties are handled such
that some may be non-static. But I don't think that in itself will
help you. For one, the NtlmHttpFilter only negotiates and checks the
credentials against the DC once when the session is established. So if
someone authenticated on one page they could then access the other and
possibly get in even though the associated ACL specifically denied their
access.

> 2. Is there another way to have multiple ACL's using jcifs?

Not really. That wouldn't be the correct technique anyway I
think. The preferred solution for this sort of thing is to use
HttpServletRequest.isUserInRole(). Unfortunately JCIFS mainline does
not retrieve group information necessary to overload this check. The
jcifs-ext branch does but that code might be a little old now. JCIFS
2.0 will have the RPCs necessary to do this [1].

Mike

[1] Actually those RPCs exist and have been demonstrated in the
jarapac/examples so in theory one could make isUserInRole() work properly
but you would have to be pretty hard-core and determined to do it
correctly so that the result is secure and doesn't cause the DC to choke.

-- 
IRC - where men are men, women are men, and the boys are FBI agents.