[jcifs] getting the password after successful NTLM HTTP Filter validation

Richard Caper rcaper at gmail.com
Tue Jun 27 14:46:19 GMT 2006

The hashes are not really available to JCifs, just the responses
(formulated from the hash and the challenge sent by the server).  In
the Windows world the hash is a password-equivalent.  So the server
sends a challenge which the client combines with the password hash to
get the response; the server does the same calculation to verify they
know the password.

Unfortunately the response will be different for each challenge, so
there's not really a way to store the hash and use that in your app.

On 6/27/06, Ward, Ian <iward at softwareag.es> wrote:
> I am adding Windows domain SSO to my Java app but am using an existing
> product underneath an it performs it's own validation.
> It says in the documentation on the JCIFS site that…
> The password hashes generated when they logged on to their workstation will
> be negotiated during the initial request for a session, passed through
> jCIFS, and validated against a PDC or BDC. This also makes the users domain,
> username, and password available for managing session information, profiles,
> preferences, etc.
> I have found how to get the user's name and domain using
> 'req.getRemoteUser();' but cannot see how to get the password… is this
> possible?
> If not (as I suspect) is it possible to at least get a password hash which
> could then be validated by the underlying product in a custom validation
> routine? Or do I have to generate one myself?
> Cheers
> Ian Ward

More information about the jcifs mailing list