[jcifs] Using NTLM authorization with Jaas Form-login

Mon Jan 12 16:06:48 GMT 2009

Using NTLM authorization with Jaas...

Here is the problem Description:

1. My application uses JAAS form login to do the sign-on.
2. Application has a custom userpasswordlogin module, that does the authentication and established a session.
3. This is an application product developed by a third party hence I do not have access to change the code within.
4. We are attempting to put an NTLM fence outside this application, so the users get authenticated with AD first, and once
authenticated the they can move on to login to the webapp by form-login.
5. the AD userids do not match with the application userid, so once AD authentication passes I have to do a translation of the AD userid to
the application userid.
6. I attempted to use the NTLM, and the NTLM passes, however since NTLM sets the user principal, the application sees that the userprincipal
is set and proceeds without going to the form-login module.
7. I need to have NTLM authenticate the users, translate the userid and then somehow have the userprincipal reset so that form-login can take over.
8. I am writing a custom filter to be called after the NTLM filter to translate the userid from AD to application.
Is it possible to do that? If yes, how and what would I need to override? OR is there a better solution. ?

   <filter>

        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
            <param-name>jcifs.smb.client.domain</param-name>
            <param-value>MYDOMAIN</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.http.domainController</param-name>
            <param-value>MYCONTROLLER</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.resolveOrder</param-name>
            <param-value>MYDNS</param-value>
        </init-param>
        <init-param>
            <description>Log Level</description>
            <param-name>jcifs.util.loglevel</param-name>
            <param-value>10</param-value>
        </init-param>
        </filter>

     <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/redirect.jsp</url-pattern>
      <dispatcher>REQUEST</dispatcher>
       <dispatcher>FORWARD</dispatcher>
       <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
 <security-constraint>
    <display-name>Common</display-name>
    <web-resource-collection>
      <web-resource-name>Common</web-resource-name>
      <url-pattern>*.do</url-pattern>
    </web-resource-collection>

    <web-resource-collection>
      <web-resource-name>Common2</web-resource-name>
      <url-pattern>/prv/redirect.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
       <form-login-page>/pub/login.jsp</form-login-page>
      <form-error-page>/pub/loginErr.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <security-role>
    <role-name>user</role-name>
  </security-role>

-------------- next part --------------
HTML attachment scrubbed and removed