[jcifs] jCIFS NTLM HTTP and SMB Signing
Jim Davidson
jdavidson at acm.org
Thu Mar 26 20:45:29 GMT 2009
I'm working on an application using NTLM SSO with Windows2003 (with SMB
Signing required).
The preauthentication approach
(http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing) seems to work
just fine. AFAICT, it uses the configured preauthentication credentials to
sign each packet that goes between jCIFS and the server.
What about the packets going between the client (browser) and jCIFS? I
assume that the client is signing them, but the signature is not being
checked, right? I don't see a way for jCIFS to check the signature, although
I'll confess that I don't understand SMB signing completely.
Is there a security hole here? Is that the sort of thing that Jespa could
address?
Thanks for any information.
-Jim
More information about the jcifs
mailing list