[jcifs] silent authentication
Richard Caper
rcaper at gmail.com
Tue Sep 6 14:49:54 GMT 2005
> but when a user, who is not in the domain, goes to localhost:8080/ww300Login
> the servlet is not working. it hangs up,... i think thats because the filter
> is on the same layer like the servlet, but i don´t no if i'am right and i
> have no idee to fix that problem.
>
How are the failing users logged in? If they are not in the ww300
domain, then there would need to be a trust between ww300 and whatever
domain they are in.
If they are local users or similar, this would probably not work at
all; the filter connects to a domain controller for the specified
domain (ww300) and authenticates the credentials provided by the user
against that domain. If they are not members of the domain (or one
trusted by that domain) then this authentication cannot be done.
The previous code you had posted simply strips out the username from
the credentials provided by the browser; it doesn't actually check if
the credentials can be authenticated against anything. So while it
would work for local accounts etc. (insofar as obtaining the username)
it wouldn't actually check that they user is who they say they are.
This can be easily faked by setting "prompt for authentication" in the
IE settings and then just typing any username/password combination.
By the way, the reason you were getting "t e s t e r" in your other
code is that the username was presented in Unicode rather than ASCII;
you would change it to say:
String login = new String(msg, offset, length, "UnicodeLittleUnmarked");
That should parse it correctly. But again, you would need to use the
jCIFS filter to actually authenticate the user.
More information about the jcifs
mailing list