[jcifs] jCIFS NTLM HTTP and SMB Signing

Michael B Allen ioplex at gmail.com
Fri Mar 27 00:14:51 GMT 2009

On Thu, Mar 26, 2009 at 4:45 PM, Jim Davidson <jdavidson at acm.org> wrote:
> I'm working on an application using NTLM SSO with Windows2003 (with SMB
> Signing required).
> The preauthentication approach
> (http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing) seems to work
> just fine.  AFAICT, it uses the configured preauthentication credentials to
> sign each packet that goes between jCIFS and the server.
> What about the packets going between the client (browser) and jCIFS?  I
> assume that the client is signing them, but the signature is not being
> checked, right? I don't see a way for jCIFS to check the signature, although
> I'll confess that I don't understand SMB signing completely.

The signing referred to in the NTLM HTTP Filter documentation refers
to SMB signing between the Filter and the "domain controller" and NOT
the communication between the HTTP client and the web server.

> Is there a security hole here?  Is that the sort of thing that Jespa could
> address?

No. There is no such thing as signing of HTTP requests/responses. It's
not a bad idea but at least I've never heard of such a thing. If you
want to protect HTTP streams, the standard solution is to use HTTPS.


Michael B Allen
Java Active Directory Integration

More information about the jcifs mailing list