[jcifs] NTLM authentication

Fahad Sayeed. Siddiqui fsyeed at xavient.com
Tue Sep 26 04:37:03 GMT 2006 

Hi Mike,

 

Please do the post the same code and provide me the link to the same.

I am having a little problem with doing the same caching of login
password in session when authentication occurs.

The Filter is behaving erratically sometimes.

 

Regards,

Fahad Siddiqui

 

 

________________________________

From: kevintap at gmail.com [mailto:kevintap at gmail.com] On Behalf Of Kevin
Tapperson
Sent: Tuesday, September 26, 2006 2:05 AM
To: Mike Kienenberger
Cc: jcifs at lists.samba.org; Fahad Sayeed. Siddiqui
Subject: Re: [jcifs] NTLM authentication

 

Mike, I would be fine with including my posted code in the jcifs
package.  Feel free to use it, modify it, re-package it as appropriate.

On 9/21/06, Mike Kienenberger <mkienenb at gmail.com> wrote: 

I've written a subclass of NtlmHttpFilter that caches the
NtlmPasswordAuthentication Principle in a session attribute (provided 
there was a non-null username in it).   It then uses the code from
Kevin's NTLMPostFilter to handle the additional IE requests and
returns the cached NtlmPasswordAuthentication as the UserPrincipal in
a RequestWrapper. 

It's a drop-in replacement for NtlmHttpFilter with one additional
optional init-param parameter for specifying which session attribute
to use.

If Kevin's ok with the use of his code, is there any interest in 
making this filter available?   If nothing else, I could post it to
the mailing list.


On 9/21/06, Kevin Tapperson <kevin at tapperson.net> wrote:
> Fahad, 
>
> The NTLMPostFilter described in the link is designed to allow for the
proper
> handling of HTTP POST operations once NTLM has been negotiated by the
> browser with a particular server.
> 
> There is a registry setting
> HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet
> Settings/DisableNTLMPreAuth, which controls how IE behaves once NTLM
has
> been negotiated with a server.  Microsoft has implemented a
performance 
> enhancement in IE which prevents IE from sending any POST data to a
server
> once NTLM has been negotiated with that server.  This was done because
IE is
> assuming that the server will require the browser to re-negotiate NTLM
for 
> the POST request.  IE is preemptively assuming that the response from
the
> server will be a HTTP 401 response and that the server will do no
processing
> on the request.  It therefore does not waste the bandwidth to supply
all of 
> the POST data in the initial request which is sent with the NTLM type
1
> message.  (This could be considerable savings depending on the actual
size
> of the POST data.)  Once the server rejects the initial POST request
from 
> the browser and responds with the NTLM type 2 message, the browser
will
> issue a second request containing the NTLM type 3 message along with
the
> desired POST data.  If the registry key is set to 1, this behavior
will be 
> disabled and the browser will submit the POST data with both the NTLM
type 1
> and NTLM type 3 messages.  The default value is 0, which causes IE to
only
> submit the POST data with the NTLM type 3 message. 
>
> The code in the filter examines all HTTP POST requests and determines
if
> they contain an NTLM type 1 message.  If the request contains an NTLM
type 1
> message, the filter responds with a dummy type 2 message to entertain
IE's 
> desire to re-negotiate NTLM prior to submitting any POST data.  The
browser
> should then respond with an NTLM type 3 message along with the post
data
> which the filter should then allow to chain to the rest of the web 
> application.
>
> This filter was designed to work with an active J2EE application
behind it
> in which the user identity is established on the first attempt to
access the
> web application and saved in the HttpSession; subsequent accesses to
the web 
> application would not require re-negotiation.  If you are using the
jcifs
> out-of-the-box NtlmHttpFilter, then you don't need to implement this
filter.
>
>
> On 9/20/06, Fahad Sayeed. Siddiqui < fsyeed at xavient.com> wrote:
> >
> >
> >
> >
> > This is in regards to the posting which is as below:
> >
> >
> http://lists.samba.org/archive/jcifs/2004-December/004459.html
> >
> >
> >
> >
> >
> > I made the same filter and it works. But suddenly, it stops working
and. 
> >
> > The code is supposed to come in the filter multiple times but after
some
> trials, it just comes once and hence, value of pass gets set as true.
> >
> >
> >
> > What could be a probable solution? 
> >
> >
> >
> > Regards,
> >
> > Fahad Siddiqui
> >
> >
>
>
>
> --
> Kevin Tapperson
> kevin at tapperson.net
> (615) 403-0817




-- 
Kevin Tapperson
kevin at tapperson.net
(615) 403-0817 

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list