[jcifs] NTLM filter

Emmanuel Potvin emmanuel_potvin at hotmail.com
Wed Dec 7 19:38:49 GMT 2005

I see... I note it. So I should seriously think about using jcifs...

And what do you think about the fact that mod_jk don't let 401 response pass 
through the client?

----Original Message Follows----
From: Richard Caper <rcaper at gmail.com>
To: Emmanuel Potvin <emmanuel_potvin at hotmail.com>
CC: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM filter
Date: Wed, 7 Dec 2005 11:31:02 -0500
MIME-Version: 1.0
Received: from zproxy.gmail.com ([]) by 
bay0-mc11-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 7 
Dec 2005 08:31:11 -0800
Received: by zproxy.gmail.com with SMTP id 18so395357nzp        for 
<emmanuel_potvin at hotmail.com>; Wed, 07 Dec 2005 08:31:03 -0800 (PST)
Received: by with SMTP id t3mr1497621nzb;        Wed, 07 Dec 2005 
08:31:02 -0800 (PST)
Received: by with HTTP; Wed, 7 Dec 2005 08:31:02 -0800 (PST)
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;        s=beta; d=gmail.com; 
References: <BAY110-F17BCBCEE06EA856E425D579C430 at phx.gbl>
Return-Path: rcaper at gmail.com
X-OriginalArrivalTime: 07 Dec 2005 16:31:15.0776 (UTC) 

This code (or similar) has been floating around on message boards for
years, and is really crap:

1) It doesn't actually authenticate anything.  It just takes whatever
the client sends, parses out username information, and uses that.  The
user can set their options in Internet Explorer to always prompt for
authentication (or use Firefox or another browser that prompts) and
whatever username they specify will come across as the user.  It
doesn't check that they actually are that person (which is the whole
point), so is useless for authentication to a system.  To actually
authenticate the user, you need to pass the challenge and response
between the client and a domain controller (which is what jCIFS does).

2) It hardcodes all the NTLM options, which are supposed to be
negotiated between the client and server.  This will cause
inconsistent behavior across various clients, servers, etc. (which is
almost certainly what you are seeing).  Basically the reason it's not
working is there are (at least) dozens of combinations of flag
settings that can be negotiated between the client and server, and
you're just hardcoding one single permutation.

On 12/7/05, Emmanuel Potvin <emmanuel_potvin at hotmail.com> wrote:
 > Hi. My question do not concern directly jdifs, but I think you are the
 > people who can understand my problem. In fact, it is a NTLM with j2ee web
 > server problem.
 > My application security is based on windows domain login. When user 
 > he don't have to enter any credential. The server ask for ntlm
 > authentication and log with it. To do that, I created a Filter and added 
 > to my application.
 > My Filter class name is com.cpa.gare.application.presentation.NtlmFilter. 
 > sent the source file as attachment.
 > As you can see, the filter return Authentication error to the navigator
 > until he gets login information, and he puts them in request attributes
 > "adDomain" and "adUserName". (ad is for active directory)
 > So I can use these attributes in my servlets to authenticate the user.
 > With Jboss, it works perfectly. I got the right information everytime, 
 > everywhere. But when I use Oracle OC4J (as I must for my current
 > development), I got an error I don't understand... First, instead of just
 > get information from explorer, it popup me a login screen as if I use
 > Firefox. Second, if I put a user in the login screen, it uses this login
 > name. And for the domain name, it take the oracle application server 
 > For example, in my case : as10gmidtier.cpaerp.net (this is not even a 
 > name, this is a server name).
 > I really need to solve this problem... If anybody have a clue...
 > Emmanuel Potvin

More information about the jcifs mailing list