[jcifs] So how does JCIFS get the username

Giampaolo Tomassoni Giampaolo at Tomassoni.biz
Thu Apr 23 14:20:36 GMT 2009


> -----Original Message-----
> From: André Warnier
> Sent: Thursday, April 23, 2009 3:57 PM
> 
> Sorry Giampaolo, I meant to send this to the list..

No problem.


> Giampaolo Tomassoni wrote:
> >> From: Bill Comer
> >> Sent: Thursday, April 23, 2009 1:58 PM
> >>
> >> I was wonderring how JCIFS gets the username on a Windows PC that it
> then
> > uses to authenticate,
> >
> > You're probably speaking about the NtlmHttpFilter.
> >
> > It is the client (IE, in example) which sends authentication data in
> behalf
> > of the user, not jcifs. The latter eventually routes them to an
> > authentication server, but it doesn't (almost) know what that data
> contain.
> >
> Still if the OP is talking about the HTTP filter, then one thought that
> comes to mind is that Firefox can also do NTLM authentication.
> Since the Firefox code is open source, you could always go look there.
> I don't think that there is any particular secret in getting the
> logged-in Windows userid though.  There must be published Windows API
> calls to do that. Getting his password is something else entirely.

I believe Bill "hack" Comer ( ;) ) has access to the server running the
NtlmHttpFilter, and is tempted to try obtain the password (or the like) of
someone accessing the server. 

Your approach wouldn't fit this case, since Bill doesn't have direct access
to an open session from one of the workstations in the domain...

If this is the case, the best thing to do is to stop NTLM authentication on
the http server and force people to log-in through clear-text password: most
of them will not even ask why and will trustfully put their username and
password as requested. Got it.

This is why the certificate-based authentication is better: it doesn't trust
human trust...

Giampaolo


> But, at which level exactly do you want to obtain the user-id of the
> logged-in user ?



More information about the jcifs mailing list