[jcifs] NtlmHttpFilter caching question
aweber at comcast.net
Mon Nov 17 13:36:15 GMT 2008
I appreciate the reply, and the very valuable insight.
I wasn't really trying to cache the ntlm hashes, but the NtlmPasswordAuthentication object and just check if it still existed in the cache (with the cache configured to have a TTL, so I would re-authenticate only after a configured timeout of credentials validity). But even trying to set a cookie (which does get set, I can confirm that) with a max-age of -1 (browser lifetime) doesn't work. If I check for the cookie in the doFilter, and if it exists, skip the negotiate completely, I get into the same loop.
----- Original Message -----
From: Michael B Allen
To: AJ Weber
Cc: jcifs at lists.samba.org
Sent: Sunday, November 16, 2008 8:13 PM
Subject: Re: [jcifs] NtlmHttpFilter caching question
On Sun, Nov 16, 2008 at 5:10 PM, AJ Weber <aweber at comcast.net> wrote:
> I'm trying to fit the filter atop a J2EE framework. For whatever reason,
> the filter ends-up having to re-authenticate really frequently.
IIS using both NTLM and Negotiate authentication will authenticate
every single HTTP request.
Caching the NTLM hashes is specific to the HTTP Filter and technically
should probably not be done.
> If I let the authentication run its course, it works fine, but I'm going to
> get in a lot of trouble with the network admins and AD guys for all the
> unnecessary traffic.
I doubt it. The NTLM HTTP Filter should not generate any more traffic
than you would see from IIS authenticating clients using NTLM over
NETLOGON to the DC. With IIS you'll see one NetrLogonSamLogonEx call
per auth whereas with the JCIFS NTLM HTTP Filter you'll see one
SMB_COM_SESSION_SETUP_ANDX per auth. No difference really.
If anything the JCIFS method will probably be less resource intensive
since it doesn't use the DCERPC layer, secure channel encryption, etc
(albeit less secure accordingly).
Michael B Allen
PHP Active Directory SPNEGO SSO
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the jcifs