[jcifs] Do I need to inform domain+user+password

Christensen, Scott M SCHRIST1 at amfam.com
Tue Jan 2 13:53:02 GMT 2007


My guess is that he's asking how to authenticate the user to a web
service from another web app that is secured by the NTLM filter (in an
intranet environment).  The short answer is that you can't and really
wouldn't want to since it would introduce security issues for your
users.

I would say there are two possible options for you both of which would
require changes to your web service's XML structure.

1. 	Introduce a "subscription" into your web service whereby each
application is required to pass along a unique id that authenticates
that application to use the particular web service.

2.	Implement the jCIFS NTLM filter in the web service and use the
Jakarta commons HTTPClient component in your web app to pass along an
authentication id and password hardcoded (or read from some external
file) into your web app.

In both the scenarios, if your web service needs to know who the user is
in order to gather specific data, pass the user id that can be found in
request.getRemoteUser() to the web service in your XML.

-- Scott

-----Original Message-----
From: jcifs-bounces+schrist1=amfam.com at lists.samba.org
[mailto:jcifs-bounces+schrist1=amfam.com at lists.samba.org] On Behalf Of
Eric Glass
Sent: Tuesday, January 02, 2007 6:32 AM
To: Luiz_Estivalet at dell.com
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Do I need to inform domain+user+password

The jCIFS servlet filter is applied to the servlet/application by
adding it to the web.xml deployment descriptor, as described here:

http://jcifs.samba.org/src/docs/ntlmhttpauth.html

The filter will authenticate all requests for resources to which it is
mapped against the domain controller; that is, if a request from a
client successfully traverses the filter, it is assured that they have
provided valid domain credentials by the time the request hits your
servlet.

You can obtain the username in your servlet by doing
request.getRemoteUser(); if you need the domain you can get that by
doing:

    NtlmPasswordAuthentication ntlm =
            (NtlmPasswordAuthentication)
request.getAttribute("NtlmHttpAuth");
    String domain = ntlm.getDomain();

NTLM is a challenge/response protocol, so it is not possible to obtain
the actual account password (if that is what you are asking).
Basically the filter will authenticate the client, handling the NTLM
handshake; your servlet will receive an already-authenticated request,
from which you can obtain the authenticated username and domain.


Eric

On 1/2/07, Luiz_Estivalet at dell.com <Luiz_Estivalet at dell.com> wrote:
> I see... But how can I get the credentials? I have a main servlet that
> is used to service all my requests. I'm trying to understand how can
> this servlet can get user's credentials to be used to authenticate the
> webservice. Is there a sample code that I can use?
>
>
> -----Original Message-----
> From: Eric Glass [mailto:eric.glass at gmail.com]
> Sent: Friday, December 29, 2006 7:03 PM
> To: Estivalet, Luiz
> Cc: mba2000 at ioplex.com; jcifs at lists.samba.org
> Subject: Re: [jcifs] Do I need to inform domain+user+password
>
> It is not possible to retrieve the plaintext password provided by the
> web service consumer.  It is possible to authenticate that the client
> possesses valid credentials however (i.e. you will know that the
client
> has a valid password, but your service will not itself obtain the
> password).
>
> On 12/29/06, Luiz_Estivalet at dell.com <Luiz_Estivalet at dell.com> wrote:
> > I want to implement SSO in my web application that is using web
> > services. I'd like to have the username and password (NT login) to
> > authenticate my webservice. I can get the username and domain but it
> > is also possible to get the password?
> >
> >
> > Luiz Fernando Estivalet
> > Global Corporate IT
> > >Dell | Information Technology - Brazil
> > >Phone: +55 (51) 3320-7530
> > >From Austin: 7-781-7530
> > >luiz_estivalet at dell.com
> >
> > -----Original Message-----
> > From: Michael B Allen [mailto:mba2000 at ioplex.com]
> > Sent: Friday, December 29, 2006 2:56 PM
> > To: Estivalet, Luiz
> > Cc: jcifs at lists.samba.org
> > Subject: Re: [jcifs] Do I need to inform domain+user+password
> >
> > On Fri, 29 Dec 2006 14:52:50 -0200
> > <Luiz_Estivalet at Dell.com> wrote:
> >
> > > Is there a way to get the password?
> >
> > I don't understand the question. Get the password in what situation?
> >
> > > -----Original Message-----
> > > From: Michael B Allen [mailto:mba2000 at ioplex.com]
> > > Sent: Friday, December 29, 2006 2:52 PM
> > > To: Estivalet, Luiz
> > > Cc: jcifs at lists.samba.org
> > > Subject: Re: [jcifs] Do I need to inform domain+user+password
> > >
> > > On Fri, 29 Dec 2006 11:22:35 -0200
> > > <Luiz_Estivalet at Dell.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I'm new to the list and to NTLM stuff. I need to perform a SSO,
I
> > > > have
> > >
> > > > downloaded and tried JCIFS examples but I always have to inform
> > > > doamin+user+password in web.xml... And I really don't want that.
> > > >
> > > > What I need is to discover the domain+user+password without
> > > > informing it in the web.xml. How can I achieve this?
> > >
> > > If the domain controller requires SMB signatures you must have the
> > > domain+user+password in your web.xml.
> > >
> > > Mike
> > >
> > > --
> > > Michael B Allen
> > > PHP Active Directory SSO
> > > http://www.ioplex.com/
> > >
> >
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> >
>


More information about the jcifs mailing list