[jcifs] NTLM authentication

Fahad Sayeed. Siddiqui fsyeed at xavient.com
Tue Sep 26 04:37:03 GMT 2006

Hi Mike,


Please do the post the same code and provide me the link to the same.

I am having a little problem with doing the same caching of login
password in session when authentication occurs.

The Filter is behaving erratically sometimes.



Fahad Siddiqui




From: kevintap at gmail.com [mailto:kevintap at gmail.com] On Behalf Of Kevin
Sent: Tuesday, September 26, 2006 2:05 AM
To: Mike Kienenberger
Cc: jcifs at lists.samba.org; Fahad Sayeed. Siddiqui
Subject: Re: [jcifs] NTLM authentication


Mike, I would be fine with including my posted code in the jcifs
package.  Feel free to use it, modify it, re-package it as appropriate.

On 9/21/06, Mike Kienenberger <mkienenb at gmail.com> wrote: 

I've written a subclass of NtlmHttpFilter that caches the
NtlmPasswordAuthentication Principle in a session attribute (provided 
there was a non-null username in it).   It then uses the code from
Kevin's NTLMPostFilter to handle the additional IE requests and
returns the cached NtlmPasswordAuthentication as the UserPrincipal in
a RequestWrapper. 

It's a drop-in replacement for NtlmHttpFilter with one additional
optional init-param parameter for specifying which session attribute
to use.

If Kevin's ok with the use of his code, is there any interest in 
making this filter available?   If nothing else, I could post it to
the mailing list.

On 9/21/06, Kevin Tapperson <kevin at tapperson.net> wrote:
> Fahad, 
> The NTLMPostFilter described in the link is designed to allow for the
> handling of HTTP POST operations once NTLM has been negotiated by the
> browser with a particular server.
> There is a registry setting
> HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet
> Settings/DisableNTLMPreAuth, which controls how IE behaves once NTLM
> been negotiated with a server.  Microsoft has implemented a
> enhancement in IE which prevents IE from sending any POST data to a
> once NTLM has been negotiated with that server.  This was done because
IE is
> assuming that the server will require the browser to re-negotiate NTLM
> the POST request.  IE is preemptively assuming that the response from
> server will be a HTTP 401 response and that the server will do no
> on the request.  It therefore does not waste the bandwidth to supply
all of 
> the POST data in the initial request which is sent with the NTLM type
> message.  (This could be considerable savings depending on the actual
> of the POST data.)  Once the server rejects the initial POST request
> the browser and responds with the NTLM type 2 message, the browser
> issue a second request containing the NTLM type 3 message along with
> desired POST data.  If the registry key is set to 1, this behavior
will be 
> disabled and the browser will submit the POST data with both the NTLM
type 1
> and NTLM type 3 messages.  The default value is 0, which causes IE to
> submit the POST data with the NTLM type 3 message. 
> The code in the filter examines all HTTP POST requests and determines
> they contain an NTLM type 1 message.  If the request contains an NTLM
type 1
> message, the filter responds with a dummy type 2 message to entertain
> desire to re-negotiate NTLM prior to submitting any POST data.  The
> should then respond with an NTLM type 3 message along with the post
> which the filter should then allow to chain to the rest of the web 
> application.
> This filter was designed to work with an active J2EE application
behind it
> in which the user identity is established on the first attempt to
access the
> web application and saved in the HttpSession; subsequent accesses to
the web 
> application would not require re-negotiation.  If you are using the
> out-of-the-box NtlmHttpFilter, then you don't need to implement this
> On 9/20/06, Fahad Sayeed. Siddiqui < fsyeed at xavient.com> wrote:
> >
> >
> >
> >
> > This is in regards to the posting which is as below:
> >
> >
> http://lists.samba.org/archive/jcifs/2004-December/004459.html
> >
> >
> >
> >
> >
> > I made the same filter and it works. But suddenly, it stops working
> >
> > The code is supposed to come in the filter multiple times but after
> trials, it just comes once and hence, value of pass gets set as true.
> >
> >
> >
> > What could be a probable solution? 
> >
> >
> >
> > Regards,
> >
> > Fahad Siddiqui
> >
> >
> --
> Kevin Tapperson
> kevin at tapperson.net
> (615) 403-0817

Kevin Tapperson
kevin at tapperson.net
(615) 403-0817 

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list