NTLM filter

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLM filter

Emmanuel Potvin
Hi. My question do not concern directly jdifs, but I think you are the
people who can understand my problem. In fact, it is a NTLM with j2ee web
server problem.

My application security is based on windows domain login. When user login,
he don't have to enter any credential. The server ask for ntlm
authentication and log with it. To do that, I created a Filter and added it
to my application.

My Filter class name is com.cpa.gare.application.presentation.NtlmFilter. I
sent the source file as attachment.

As you can see, the filter return Authentication error to the navigator
until he gets login information, and he puts them in request attributes
"adDomain" and "adUserName". (ad is for active directory)

So I can use these attributes in my servlets to authenticate the user.

With Jboss, it works perfectly. I got the right information everytime, from
everywhere. But when I use Oracle OC4J (as I must for my current
development), I got an error I don't understand... First, instead of just
get information from explorer, it popup me a login screen as if I use
Firefox. Second, if I put a user in the login screen, it uses this login
name. And for the domain name, it take the oracle application server name.
For example, in my case : as10gmidtier.cpaerp.net (this is not even a domain
name, this is a server name).

I really need to solve this problem... If anybody have a clue...

Emmanuel Potvin


NtlmFilter.java (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NTLM filter

Richard Caper
This code (or similar) has been floating around on message boards for
years, and is really crap:


1) It doesn't actually authenticate anything.  It just takes whatever
the client sends, parses out username information, and uses that.  The
user can set their options in Internet Explorer to always prompt for
authentication (or use Firefox or another browser that prompts) and
whatever username they specify will come across as the user.  It
doesn't check that they actually are that person (which is the whole
point), so is useless for authentication to a system.  To actually
authenticate the user, you need to pass the challenge and response
between the client and a domain controller (which is what jCIFS does).


2) It hardcodes all the NTLM options, which are supposed to be
negotiated between the client and server.  This will cause
inconsistent behavior across various clients, servers, etc. (which is
almost certainly what you are seeing).  Basically the reason it's not
working is there are (at least) dozens of combinations of flag
settings that can be negotiated between the client and server, and
you're just hardcoding one single permutation.



On 12/7/05, Emmanuel Potvin <[hidden email]> wrote:

> Hi. My question do not concern directly jdifs, but I think you are the
> people who can understand my problem. In fact, it is a NTLM with j2ee web
> server problem.
>
> My application security is based on windows domain login. When user login,
> he don't have to enter any credential. The server ask for ntlm
> authentication and log with it. To do that, I created a Filter and added it
> to my application.
>
> My Filter class name is com.cpa.gare.application.presentation.NtlmFilter. I
> sent the source file as attachment.
>
> As you can see, the filter return Authentication error to the navigator
> until he gets login information, and he puts them in request attributes
> "adDomain" and "adUserName". (ad is for active directory)
>
> So I can use these attributes in my servlets to authenticate the user.
>
> With Jboss, it works perfectly. I got the right information everytime, from
> everywhere. But when I use Oracle OC4J (as I must for my current
> development), I got an error I don't understand... First, instead of just
> get information from explorer, it popup me a login screen as if I use
> Firefox. Second, if I put a user in the login screen, it uses this login
> name. And for the domain name, it take the oracle application server name.
> For example, in my case : as10gmidtier.cpaerp.net (this is not even a domain
> name, this is a server name).
>
> I really need to solve this problem... If anybody have a clue...
>
> Emmanuel Potvin
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: NTLM filter

Emmanuel Potvin
I see... I note it. So I should seriously think about using jcifs...

And what do you think about the fact that mod_jk don't let 401 response pass
through the client?

----Original Message Follows----
From: Richard Caper <[hidden email]>
To: Emmanuel Potvin <[hidden email]>
CC: [hidden email]
Subject: Re: [jcifs] NTLM filter
Date: Wed, 7 Dec 2005 11:31:02 -0500
MIME-Version: 1.0
Received: from zproxy.gmail.com ([64.233.162.199]) by
bay0-mc11-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 7
Dec 2005 08:31:11 -0800
Received: by zproxy.gmail.com with SMTP id 18so395357nzp        for
<[hidden email]>; Wed, 07 Dec 2005 08:31:03 -0800 (PST)
Received: by 10.36.96.3 with SMTP id t3mr1497621nzb;        Wed, 07 Dec 2005
08:31:02 -0800 (PST)
Received: by 10.36.37.6 with HTTP; Wed, 7 Dec 2005 08:31:02 -0800 (PST)
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;        s=beta; d=gmail.com;
       
h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
       
b=IOhfoP8YnJFOtv9/FXyCae3ZPrKpCLt2X7gPHTBvAdLHHiXKR3WO3TB3smydi1l1PNufncopSU2lDKVIqRO0biyeoPAFeczHO+xyXQwGvNd3vI+AbzgZbABvsji51b8Wu/h9dQs6fpJUnlTATDJN8VKGexe9p4gn0lQHBRu1Lr8=
References: <[hidden email]>
Return-Path: [hidden email]
X-OriginalArrivalTime: 07 Dec 2005 16:31:15.0776 (UTC)
FILETIME=[A4E8B400:01C5FB4B]

This code (or similar) has been floating around on message boards for
years, and is really crap:


1) It doesn't actually authenticate anything.  It just takes whatever
the client sends, parses out username information, and uses that.  The
user can set their options in Internet Explorer to always prompt for
authentication (or use Firefox or another browser that prompts) and
whatever username they specify will come across as the user.  It
doesn't check that they actually are that person (which is the whole
point), so is useless for authentication to a system.  To actually
authenticate the user, you need to pass the challenge and response
between the client and a domain controller (which is what jCIFS does).


2) It hardcodes all the NTLM options, which are supposed to be
negotiated between the client and server.  This will cause
inconsistent behavior across various clients, servers, etc. (which is
almost certainly what you are seeing).  Basically the reason it's not
working is there are (at least) dozens of combinations of flag
settings that can be negotiated between the client and server, and
you're just hardcoding one single permutation.



On 12/7/05, Emmanuel Potvin <[hidden email]> wrote:
 > Hi. My question do not concern directly jdifs, but I think you are the
 > people who can understand my problem. In fact, it is a NTLM with j2ee web
 > server problem.
 >
 > My application security is based on windows domain login. When user
login,
 > he don't have to enter any credential. The server ask for ntlm
 > authentication and log with it. To do that, I created a Filter and added
it
 > to my application.
 >
 > My Filter class name is com.cpa.gare.application.presentation.NtlmFilter.
I
 > sent the source file as attachment.
 >
 > As you can see, the filter return Authentication error to the navigator
 > until he gets login information, and he puts them in request attributes
 > "adDomain" and "adUserName". (ad is for active directory)
 >
 > So I can use these attributes in my servlets to authenticate the user.
 >
 > With Jboss, it works perfectly. I got the right information everytime,
from
 > everywhere. But when I use Oracle OC4J (as I must for my current
 > development), I got an error I don't understand... First, instead of just
 > get information from explorer, it popup me a login screen as if I use
 > Firefox. Second, if I put a user in the login screen, it uses this login
 > name. And for the domain name, it take the oracle application server
name.
 > For example, in my case : as10gmidtier.cpaerp.net (this is not even a
domain
 > name, this is a server name).
 >
 > I really need to solve this problem... If anybody have a clue...
 >
 > Emmanuel Potvin
 >
 >
 >
 >


Reply | Threaded
Open this post in threaded view
|

Just a test

Emmanuel Potvin
I have a solaris server with jboss installed on it. I want to try jcifs, and
I saw in the documentation that the domain controler can be a workstation. I
want to make a test, just to see if I can make it works.

So here is what I did and it doesn't works... I have a popup screen instead
of an auto authentication... And even if a try a real login and password, it
doesn't works.

I put the jCIFS.jar file in my WEB-INF/lib directory

I added this in my web.xml file :

    <filter>
        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
            <param-name>jcifs.http.domainController</param-name>
            <param-value>10.1.60.103</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.smb.client.domain</param-name>
            <param-value>MANU</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

10.1.60.103 is the ip address of my workstation, and MANU is the name of my
workstation... Maybe there's something I don't understand... Is what I want
to do possible?

Emmanuel