[jcifs] getting the password after successful NTLM HTTP Filter validation

Ward, Ian iward at softwareag.es
Tue Jun 27 15:12:36 GMT 2006


Thanks for the response, it was what I thought.

I am therefore going to have the web app generate a temporary, pseudo
random, timestamped password, store it and pass it to the application.
The application will then check if it was stored (and within a timeout
period) and delete it (to avoid repeat attacks).

Does this make sense to you? Is there an easier way that I'm missing?
Where do you think would be the best place to store the temporary
password?

Cheers

Ian

-----Mensaje original-----
De: Richard Caper [mailto:rcaper at gmail.com] 
Enviado el: martes, 27 de junio de 2006 16:46
Para: Ward, Ian
CC: jcifs at lists.samba.org
Asunto: Re: [jcifs] getting the password after successful NTLM HTTP
Filter validation

The hashes are not really available to JCifs, just the responses
(formulated from the hash and the challenge sent by the server).  In
the Windows world the hash is a password-equivalent.  So the server
sends a challenge which the client combines with the password hash to
get the response; the server does the same calculation to verify they
know the password.

Unfortunately the response will be different for each challenge, so
there's not really a way to store the hash and use that in your app.

On 6/27/06, Ward, Ian <iward at softwareag.es> wrote:
>
>
>
>
> I am adding Windows domain SSO to my Java app but am using an existing
> product underneath an it performs it's own validation.
>
>
>
> It says in the documentation on the JCIFS site that...
>
>
>
> The password hashes generated when they logged on to their workstation
will
> be negotiated during the initial request for a session, passed through
> jCIFS, and validated against a PDC or BDC. This also makes the users
domain,
> username, and password available for managing session information,
profiles,
> preferences, etc.
>
>
>
> I have found how to get the user's name and domain using
> 'req.getRemoteUser();' but cannot see how to get the password... is
this
> possible?
>
>
>
> If not (as I suspect) is it possible to at least get a password hash
which
> could then be validated by the underlying product in a custom
validation
> routine? Or do I have to generate one myself?
>
>
>
> Cheers
>
>
>
> Ian Ward


More information about the jcifs mailing list