[jcifs] NtlmHttpFilter caching question

AJ Weber aweber at comcast.net
Mon Nov 17 13:36:15 GMT 2008

I appreciate the reply, and the very valuable insight.

I wasn't really trying to cache the ntlm hashes, but the NtlmPasswordAuthentication object and just check if it still existed in the cache (with the cache configured to have a TTL, so I would re-authenticate only after a configured timeout of credentials validity).  But even trying to set a cookie (which does get set, I can confirm that) with a max-age of -1 (browser lifetime) doesn't work.  If I check for the cookie in the doFilter, and if it exists, skip the negotiate completely, I get into the same loop.

Really strange.


  ----- Original Message ----- 
  From: Michael B Allen 
  To: AJ Weber 
  Cc: jcifs at lists.samba.org 
  Sent: Sunday, November 16, 2008 8:13 PM
  Subject: Re: [jcifs] NtlmHttpFilter caching question

  On Sun, Nov 16, 2008 at 5:10 PM, AJ Weber <aweber at comcast.net> wrote:
  > OK,
  > I'm trying to fit the filter atop a J2EE framework.  For whatever reason,
  > the filter ends-up having to re-authenticate really frequently.

  IIS using both NTLM and Negotiate authentication will authenticate
  every single HTTP request.

  Caching the NTLM hashes is specific to the HTTP Filter and technically
  should probably not be done.

  > If I let the authentication run its course, it works fine, but I'm going to
  > get in a lot of trouble with the network admins and AD guys for all the
  > unnecessary traffic.

  I doubt it. The NTLM HTTP Filter should not generate any more traffic
  than you would see from IIS authenticating clients using NTLM over
  NETLOGON to the DC. With IIS you'll see one NetrLogonSamLogonEx call
  per auth whereas with the JCIFS NTLM HTTP Filter you'll see one
  SMB_COM_SESSION_SETUP_ANDX per auth. No difference really.

  If anything the JCIFS method will probably be less resource intensive
  since it doesn't use the DCERPC layer, secure channel encryption, etc
  (albeit less secure accordingly).


  Michael B Allen
  PHP Active Directory SPNEGO SSO
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list