[jcifs] Create and Write Permissions on a Directory

Michael B Allen ioplex at gmail.com
Fri Feb 19 18:34:51 MST 2010

Hi Mike,

Actually, now that I think about it, you're right, you would need to
the user's list of group SIDs. That is only provided with SamUserInfo
structures during server-side authentication (or perhaps by querying
the tokenGroups attribute on the account using LDAP) but the expansion
of nested groups is slightly different depending on how the SIDs are
queried so the whole thing is non-trivial.

If you had the list of group SIDs, it would be somewhat obvious as to
how to traverse the ACL returned by getSecurity and perform the access

And no, JCIFS does not have code for any of the above.


On Fri, Feb 19, 2010 at 6:22 PM, Michael Matczynski <mjm at alum.mit.edu> wrote:
> Mike,
> Thanks for the quick reply!
> Do you know if there's a patch or any library that helps in traversing
> the ACL?  Also, do you know if this is achievable with only the
> classes in jcifs, or are there pieces missing?  Specifically, I'm
> wondering about the case where a group has access to a directory, and
> a user is in that group - how would I determine if a given user is in
> that group?  I'm assuming this would require querying another service
> and that isn't related to CIFS?
> Thanks!
> Mike
> On Fri, Feb 19, 2010 at 5:12 PM, Michael B Allen <ioplex at gmail.com> wrote:
>> Hi Mike,
>> The canWrite method just looks at the file attributes which these days
>> is totally useless.
>> To logically determine if someone can write a directory you would have
>> to retrieve the ACL and evaluate it like a Windows server would. This
>> is what canWrite should do.
>> The most practical method is to simply try to create and write to an
>> object in the directory and catch the exception. If it works, they
>> have create and write permission. If it fails they don't.
>> Mike
>> On Fri, Feb 19, 2010 at 11:33 AM, Michael Matczynski <mjm at alum.mit.edu> wrote:
>>> Hello!
>>> Once authenticated via NtlmPasswordAuthentication, what's the best way
>>> to determine if that user has CREATE and WRITE permissions in a CIFS
>>> SmbFile directory?
>>> I've tried taking the SmbFile of the directory and calling canWrite(),
>>> but on an OpenFiler/Samba server this was returning 'true' while on a
>>> Windows 2003 Server it was returning 'false' (even though creating a
>>> SmbFile inside that directory and calling getOutputStream() was
>>> successful).
>>> Thanks!
>>> Mike
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/

Michael B Allen
Java Active Directory Integration

More information about the jCIFS mailing list