[jcifs] RE: FW: ntlm_auth integrated with Tomcat5 filter

[Michael B Allen]

Brian Moran said:
> Sorry, I misremembered when typing the original message - I mean
> jcifs.http.NtlmHttpFilter -- instead of it transacting a domain
> authentication using the jcifs code (which if I have read the email
> archives correctly supporst NTLMv1 "LMv2" and not the newer SPNEGO
> (unless using jcifs-ext with Eric Glass' work?), calling into ntlm_auth
> (provided with Samba) at the various phases to do the work.  It seems
> that ntlm_auth supports the SPNEGO mode already.
>
> We're anticipating the need to authenticate Tomcat5 session against
> "NTLMv2 or better" domains.
>
> If I've mis-read or mis-interpreted the current capabilities of
> jcifs.http.NtlmHttpFilter, please forgive me.

You are correct. JCIFS currently does not support NTLMv2 or Kerberos. For
a variety of reasons I am not interested in pursuing that angle and would
never accept patches that use any kind of JNI integration.

Incedentally jCIFS will also very likely never support NTLMv2 because it
is obsoleted by Kerberos. I am currently working on SPNEGO w/ Kerberos for
jCIFS 2.0. However, after doing so I'm not certain about the future of an
HTTP Filter in jCIFS moving forward because a Kerberos only filter by
itself really has nothing to do with CIFS. For this reason it would be
nice if someone could create a nice standalone Kerberos filter with a
clean way for sub-filters to access the negotiated ticket (e.g.
WindowsPrinciple.getCurrent() using thread local storage). For example
Davenport (WebDAV CIFS gateway) could grab the ticket and pass it to jCIFS
for authenticating with target servers.

I recommend looking at Wedgetail. Jcifs-ext also provides a Kerberos
filter that also uses a modified jCIFS to check group membership using RAP
calls.

Please send any futher questions to the mailing list.

Mike