[jcifs] Providing an alternative sign on mechanism.

Michael B Allen mba2000 at ioplex.com
Fri Mar 16 19:52:12 GMT 2007


On Fri, 16 Mar 2007 10:55:39 -0300
"BASHEER, SHIBU" <shibu.basheer at emera.com> wrote:

> 
> Hi,
> 
> We are using NtlmHttpFilter for seamless single sign on to our applications.  Problem is, some PCs are shared among multiple users.
> 
> Is there a way to provide an alternative sign on mechanism so user who are not logged on to themselves on a PC can click on a link to sign out and sign in as a different user without having to logout and login again to windows?

The filter is really a bare bones SSO-only solution. I suspect almost
everyone with a serious site needs to modify it.

I don't really use the filter but my feeling is that the best solution
is to add some logic that presents the user with logon form that accepts
a username and password. If the form is submitted those creds are passed
to SmbSession.logon. If successful, the filter then should put something
in the session to indicate that it was authenticated so that subsequent
requests are not authenticated.

Also, you could add a JavaScript redirect to the page sent to the client
with the 401 unauthorized WWW-Authenticate: Negotiate response. That way,
if the client cannot do NTLM, the onload handler of the body tag will
run some JavaScript that submits a form with a parameter that indicates
that the logon form should be presented.

Anyway, that's how I would do it.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/


More information about the jcifs mailing list