[jcifs] NTLM filter

Richard Caper rcaper at gmail.com
Wed Dec 7 16:31:02 GMT 2005

This code (or similar) has been floating around on message boards for
years, and is really crap:

1) It doesn't actually authenticate anything.  It just takes whatever
the client sends, parses out username information, and uses that.  The
user can set their options in Internet Explorer to always prompt for
authentication (or use Firefox or another browser that prompts) and
whatever username they specify will come across as the user.  It
doesn't check that they actually are that person (which is the whole
point), so is useless for authentication to a system.  To actually
authenticate the user, you need to pass the challenge and response
between the client and a domain controller (which is what jCIFS does).

2) It hardcodes all the NTLM options, which are supposed to be
negotiated between the client and server.  This will cause
inconsistent behavior across various clients, servers, etc. (which is
almost certainly what you are seeing).  Basically the reason it's not
working is there are (at least) dozens of combinations of flag
settings that can be negotiated between the client and server, and
you're just hardcoding one single permutation.

On 12/7/05, Emmanuel Potvin <emmanuel_potvin at hotmail.com> wrote:
> Hi. My question do not concern directly jdifs, but I think you are the
> people who can understand my problem. In fact, it is a NTLM with j2ee web
> server problem.
> My application security is based on windows domain login. When user login,
> he don't have to enter any credential. The server ask for ntlm
> authentication and log with it. To do that, I created a Filter and added it
> to my application.
> My Filter class name is com.cpa.gare.application.presentation.NtlmFilter. I
> sent the source file as attachment.
> As you can see, the filter return Authentication error to the navigator
> until he gets login information, and he puts them in request attributes
> "adDomain" and "adUserName". (ad is for active directory)
> So I can use these attributes in my servlets to authenticate the user.
> With Jboss, it works perfectly. I got the right information everytime, from
> everywhere. But when I use Oracle OC4J (as I must for my current
> development), I got an error I don't understand... First, instead of just
> get information from explorer, it popup me a login screen as if I use
> Firefox. Second, if I put a user in the login screen, it uses this login
> name. And for the domain name, it take the oracle application server name.
> For example, in my case : as10gmidtier.cpaerp.net (this is not even a domain
> name, this is a server name).
> I really need to solve this problem... If anybody have a clue...
> Emmanuel Potvin

More information about the jcifs mailing list