[jcifs] jCIFS NTLM HTTP and SMB Signing

Jim Davidson jdavidson at acm.org
Fri Mar 27 18:03:26 GMT 2009


Thanks for the quick reply.

After I sent my message I thought about it some more, and realized that the 
HTTP traffic from browser to filter was probably not using SMB in any way, 
and therefore not affected by signing requirements.

Your message confirms my (imperfect) understanding.  Thanks again.


On 3/26/2009 5:14 PM, Michael B Allen wrote:
> On Thu, Mar 26, 2009 at 4:45 PM, Jim Davidson <jdavidson at acm.org> wrote:
>> I'm working on an application using NTLM SSO with Windows2003 (with SMB
>> Signing required).
>> The preauthentication approach
>> (http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing) seems to work
>> just fine.  AFAICT, it uses the configured preauthentication credentials to
>> sign each packet that goes between jCIFS and the server.
>> What about the packets going between the client (browser) and jCIFS?  I
>> assume that the client is signing them, but the signature is not being
>> checked, right? I don't see a way for jCIFS to check the signature, although
>> I'll confess that I don't understand SMB signing completely.
> The signing referred to in the NTLM HTTP Filter documentation refers
> to SMB signing between the Filter and the "domain controller" and NOT
> the communication between the HTTP client and the web server.
>> Is there a security hole here?  Is that the sort of thing that Jespa could
>> address?
> No. There is no such thing as signing of HTTP requests/responses. It's
> not a bad idea but at least I've never heard of such a thing. If you
> want to protect HTTP streams, the standard solution is to use HTTPS.
> Mike

More information about the jcifs mailing list