[jcifs] Windows login username required at server end
Yannick Lavanant
yannick at smellyfrog.com
Fri Jun 6 10:33:05 GMT 2008
Hi Abhi,
You can avoid the popup box by adding your webserver as a trusted server
in either IE or Firefox.
IE:
Tools/internet options
Security tab
Local Intranet-> Click the Sites button -> the advanced button, type the
address of your server and press Add.
Firefox:
Type about:config in the address bar (No http:// before this)
And look for network.automatic-ntlm-auth.trusted-uris
Double click on the preference and type the address of your server
I am using jcifs on our intranet, and the users never have to type their
password to login. You can add a security policy to add the webserver in
the correct security zone for IE. For Firefox, you'll need the users to
do it manually.
Regards
Yannick
Abhijit Karpe wrote:
> Hello AJ,
>
> Thanks a lot for your timely responses.
>
> Since I am a newbie please bear with my questions.
>
> As I understand, there will be 3 Messages transferred during this
> process to authenticate the user and I can break the chain wherever I
> want so that the authentication does not proceed further. For this I
> assume the application will popup a dialog box asking for username and
> password.
>
> But since I only need the username from the client machine, I don't want
> such a popup box to appear. The username should be silently passed on
> from the client machine to server without the user being provided with a
> dialogue box.
>
> I tried a sample application using JCIFS and it shows a popup. However I
> observed that even when the popup appears, the following line is shown
> on the jboss console -
>
> 10:09:09,796 ERROR [STDERR] NtlmHttpFilter: MYDOMAIN\abhijitk:
> 0xC0000022: j
> cifs.smb.SmbAuthException: Access is denied.
>
> This essentially means that before even showing the popup, JCIFS was
> able to extract the username from client.
>
> Could you please point me to how I can just get hold of this username?
>
> Deeply appreciate your help!
>
> Thanks,
> Abhi
>
> -----Original Message-----
> From: aweber at comcast.net [mailto:aweber at comcast.net]
> Sent: Friday, June 06, 2008 12:06 AM
> To: Yannick Lavanant; Abhijit Karpe
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] Windows login username required at server end
>
> (Re-reading that email...if you need the username -- not the domain that
> I was going on about -- you'll need to send the Type 2 message back to
> the client and retrieve the Type 3 message, which contains the Username.
> At that point, you can retrieve it from that helper-class and discard
> the message; don't bother actually then sending it for authentication to
> the domain controllers.)
>
> Sorry for the confusion,
> AJ
>
> -------------- Original message ----------------------
> From: aweber at comcast.net
>
>> Right, if you use the beginning-part of the filter, you'll want to
>>
> send the
>
>> browser the 401 with the Authenticate: NTLM (see actual code). The
>> client/browers should send you back an NTLM "Type 1 Message".
>>
>> There is a helper-class you can use to read the properties of that
>>
> message
>
>> returned from the client. One is the Domain. It _should_ be the
>>
> domain to
>
>> which the user is currently authenticated.
>>
>> Again, this isn't highly secure, but given your requirements to NOT
>> re-authenticate the user (which, BTW would be transparent for IE
>>
> browsers, and
>
>> just add some security to the mix), it should be what you need. If
>>
> you allow
>
>> the whole filter to continue, it'll do all three messages and attempt
>>
> to
>
>> authenticate the user against the PDC or BDC again. If you cut-out
>>
> the code
>
>> after you receive the Type 1 message, you'll be left with access to
>>
> that
>
>> message's properties (including the Domain), and you can go on from
>>
> there how
>
>> ever your solution requires.
>>
>> -AJ
>>
>>
>> -------------- Original message ----------------------
>> From: Yannick Lavanant <yannick at smellyfrog.com>
>>
>>> Well, there is a class called jcifs.http.NTLMHttpFilter that you
>>>
> should
>
>>> be able to extend. You could then override some methods to stop the
>>> authentication. Then of course, change you web.xml to use the new
>>>
> filter
>
>>> class.
>>>
>>> I'm not sure how doable that is, but your best bet is to read the
>>>
> filter
>
>>> class and see what you can do with it.
>>>
>>> There are a lot of message exchange going on between the client and
>>>
> the
>
>>> server during the authentication. So if you manage to intercept that
>>>
>
>
>>> process at the right time, you might be able to do what you want.
>>>
>>> Regards
>>> Yannick
>>>
>>> Abhijit Karpe wrote:
>>>
>>>> Hello Yannick,
>>>>
>>>> Thanks for your quick response.
>>>>
>>>> In my case domain authentication is immaterial so I would rather
>>>>
> avoid
>
>>>> it. For me a user who is successfully logged in to the windows
>>>>
> machine
>
>>>> (which is in a secured network) is secure enough to give him
>>>>
> access to
>
>>>> my application. It is sort of an SSO support.
>>>> Also I need to find the authorization information for the user
>>>>
> from my
>
>>>> application database. For this purpose I need the username.
>>>>
>>>> It would be really helpful if anyone could point me to some
>>>>
> detailed
>
>>>> documentation on how JCIFS internally works. In that case I would
>>>>
> either
>
>>>> be able to extend the behavior to support my requirement or maybe
>>>>
> even
>
>>>> write the code that would suffice.
>>>>
>>>> Thanks again for your response!
>>>>
>>>> ~
>>>> Abhi
>>>>
>>>> -----Original Message-----
>>>> From: Yannick Lavanant [mailto:yannick at smellyfrog.com]
>>>> Sent: Thursday, June 05, 2008 7:14 PM
>>>> To: Abhijit Karpe
>>>> Cc: jcifs at lists.samba.org
>>>> Subject: Re: [jcifs] Windows login username required at server end
>>>>
>>>> Hi Abhi,
>>>>
>>>> I'm not a specialist, but as far as I understand, JCIFS performs a
>>>>
>
>
>>>> domain authentication.
>>>>
>>>> I remember using some native code that did what you are
>>>>
> describing.
>
>>>> The advantage of JCIFS is that you are platform independant. As
>>>>
> soon as
>
>>>> you introduce native code, you get stuck with the operating
>>>>
> system.
>
>>>> Is there any reason why you don't want to do a domain
>>>>
> authentication?
>
>>>> Yannick
>>>>
>>>> Abhijit Karpe wrote:
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>>
>>>>> I have a requirement wherein I need the windows login username in
>>>>>
> my
>
>>>>> application on JBoss.
>>>>>
>>>>> I have been investigating using the JCIFS library but so far
>>>>>
> whatever
>
>>>>> I do, JCIFS tries to authenticate the user with the domain
>>>>>
> controller.
>
>>>>>
>>>>>
>>>>> What I need is not authentication with the domain controller. I
>>>>>
> just
>
>>>>> need access to the username with which the user has logged in to
>>>>>
> the
>
>>>>> windows machine.
>>>>>
>>>>> My application assumes that if the user has successfully logged
>>>>>
> in, he
>
>>>>>
>>>>>
>>>>
>>>>
>>>>> is a valid user.
>>>>>
>>>>>
>>>>>
>>>>> Can JCIFS help me with my requirement?
>>>>>
>>>>>
>>>>>
>>>>> If not, does anyone know how I may be able to achieve this? Any
>>>>>
> help
>
>>>>> in this regard is highly appreciated.
>>>>>
>>>>>
>>>>>
>>>>> Thanking everyone in advance,
>>>>>
>>>>> Abhi
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>
>
>
More information about the jcifs
mailing list