NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

My Chi Doan
Hi,

We have a ntlm http client (as example NtlmHttpClient.java), which
authenticates user against a web application using
http://<NTdomain\login>:<password>@<host>:<port>/....

Depending on which JVM the client is using, we get different behaviors:

1) When using "stand-alone" JVM (version 1.4.1_01), the ntlm
authentication works fine. It means the NT login is authenticated
correctly according to the above url.

The command looks like:
C:\myjre\bin\java -Djava.protocol.handler.pkgs=jcifs -cp
./jcifs-1.2.7.jar;. NtlmHttpClient <parameters..>


2) When using System JVM (version 1.4.2_10), regardless which login and
password is used in the url above, always the user, who is logged in on
the PC, is got authenticated. E.g. xxx works on PC of yyy and tries to
call the ntlm client with his own NT login and password. The
authenticaton is always perfomed for user yyy instead of xxx.
It looks like in this case the Sun's NTLM is used instead of jcifs.

The command looks like:
java -Djava.protocol.handler.pkgs=jcifs -cp ./jcifs-1.2.7.jar;.
NtlmHttpClient <parameters..>


Did anybody experience the same problem? I searched in this newsgroup,
but coulgn't find any posting related to that.

Is it possible to switch off the Sun NTLM and use jCIFS instead?

Any hint is highly appreciated.

Thanks, My Chi

Reply | Threaded
Open this post in threaded view
|

Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

Michael B Allen-4
On Thu, 02 Feb 2006 16:59:55 +0100
My Chi Doan <[hidden email]> wrote:

> Hi,
>
> We have a ntlm http client (as example NtlmHttpClient.java), which
> authenticates user against a web application using
> http://<NTdomain\login>:<password>@<host>:<port>/....

I don't have an answer to your problem but we don't use '\' to separate
the domain from the username.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

My Chi Doan
Hi Mike,

yes, it was a typo of mine. Actually we use

http://domain%5cuser:password@host/...

instead of domain\user.

Thanks, My Chi

Reply | Threaded
Open this post in threaded view
|

Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

Oliver Schoett
In reply to this post by My Chi Doan
My Chi Doan wrote:
> 2) When using System JVM (version 1.4.2_10), regardless which login
> and password is used in the url above, always the user, who is logged
> in on the PC, is got authenticated. E.g. xxx works on PC of yyy and
> tries to call the ntlm client with his own NT login and password. The
> authenticaton is always perfomed for user yyy instead of xxx.
> It looks like in this case the Sun's NTLM is used instead of jcifs.
Hmm, this is the third time this has been asked since Jan 25.  Maybe it
should become an entry in the Documentation and/or FAQ:

    NTLM authentication of HTTP requests works automatically in Sun JRE
    1.4.2_02 and higher on Windows (including Java 5, but I haven't
    tested that): When you make an HTTP request to a Web server that
    requires Windows authentication, an NTLM authentication attempt is
    made automatically and transparently with the user's Windows
    credentials (see Java Bug 4857110).  Only when that attempt fails
    the java.net.Authenticator class is invoked to get a user name and
    password.

    See also
    http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html#ntlm

I do not know how to turn off the initial NTLM authentication with the
Windows user credentials.

Regards,

Oliver Schoett

Reply | Threaded
Open this post in threaded view
|

Re: Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

Michael B Allen-4
On Fri, 03 Feb 2006 16:56:35 +0100
Oliver Schoett <[hidden email]> wrote:

> My Chi Doan wrote:
> > 2) When using System JVM (version 1.4.2_10), regardless which login
> > and password is used in the url above, always the user, who is logged
> > in on the PC, is got authenticated. E.g. xxx works on PC of yyy and
> > tries to call the ntlm client with his own NT login and password. The
> > authenticaton is always perfomed for user yyy instead of xxx.
> > It looks like in this case the Sun's NTLM is used instead of jcifs.
> Hmm, this is the third time this has been asked since Jan 25.  Maybe it
> should become an entry in the Documentation and/or FAQ:
>
>     NTLM authentication of HTTP requests works automatically in Sun JRE
>     1.4.2_02 and higher on Windows (including Java 5, but I haven't
>     tested that): When you make an HTTP request to a Web server that
>     requires Windows authentication, an NTLM authentication attempt is
>     made automatically and transparently with the user's Windows
>     credentials (see Java Bug 4857110).  Only when that attempt fails
>     the java.net.Authenticator class is invoked to get a user name and
>     password.
>
>     See also
>     http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html#ntlm
>
> I do not know how to turn off the initial NTLM authentication with the
> Windows user credentials.

The correct way to resolve this issue would be to provide a full
blown HTTP client rather than just wrap calls to the included Sun
HTTP client. But it would be nice if there was a way to disable NTLM
negotiation so that JCIFS can still work.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

Oliver Schoett
Michael B Allen wrote:
> [...] it would be nice if there was a way to disable NTLM
> negotiation so that JCIFS can still work.
>  
I am a bit confused by this sentence.  JCIFS on the server works
perfectly fine with a Sun JRE on a Windows Client in the vast majority
of cases:

    * If your Windows credentials are accepted by the server, you are
      logged in automatically.  This is the case that is important to
      compete with the Windows technologies in a corporate environment
      and probably covers >90% of users.

    * If your Windows credentials are not accepted by the server, the
      java.net.Authenticator is invoked, i. e., you are prompted for
      username/password as usual.  This probably covers another >5% of
      users.

    * The only problem occurs if your Windows credentials are accepted
      by the server, but you want to use a *different* user identity.
      This does not seem possible unless the automatic login by Sun's
      HTTP client can be turned off.  However, I consider this a rare
      case (<5%).

Regards,

Oliver Schoett

Reply | Threaded
Open this post in threaded view
|

Fwd: Re: NTLM http client uses Sun NTLM coming with JVM 1.4.2_10 instead of jcifs

Richard Caper
Forgot to copy list.

---------- Forwarded message ----------
From: Richard Caper <[hidden email]>
Date: Feb 7, 2006 5:58 AM
Subject: Re: [jcifs] Re: NTLM http client uses Sun NTLM coming with
JVM 1.4.2_10 instead of jcifs
To: Oliver Schoett <[hidden email]>


He is talking about the JCIFS client piece.  The specific use case
would be you want to provide specific credentials and connect to an
NTLM site (could be JCIFS, could be IIS).  The JCIFS HttpURLConnection
wrapper allows you to do this on non-Windows clients.  On Windows the
built-in JVM handler automatically uses the logged in user credentials
and bypasses the JCIFS handler.

As noted this is probably a pretty rare scenario (i.e. you would
usually want the out-of-box JVM behavior, and would only need JCIFS on
non-Windows clients to approximate the Windows behavior).  If you do
need to use it on a Windows client there is a hacky way to disable the
JVM handler from automatically authenticating:

System.setProperty("os.name", "something else");

i.e. the Sun handler tests if the local OS is Windows when determining
whether NTLM is supported (since it uses native calls).


On 2/6/06, Oliver Schoett <[hidden email]> wrote:

> Michael B Allen wrote:
> > [...] it would be nice if there was a way to disable NTLM
> > negotiation so that JCIFS can still work.
> >
> I am a bit confused by this sentence.  JCIFS on the server works
> perfectly fine with a Sun JRE on a Windows Client in the vast majority
> of cases:
>
>     * If your Windows credentials are accepted by the server, you are
>       logged in automatically.  This is the case that is important to
>       compete with the Windows technologies in a corporate environment
>       and probably covers >90% of users.
>
>     * If your Windows credentials are not accepted by the server, the
>       java.net.Authenticator is invoked, i. e., you are prompted for
>       username/password as usual.  This probably covers another >5% of
>       users.
>
>     * The only problem occurs if your Windows credentials are accepted
>       by the server, but you want to use a *different* user identity.
>       This does not seem possible unless the automatic login by Sun's
>       HTTP client can be turned off.  However, I consider this a rare
>       case (<5%).
>
> Regards,
>
> Oliver Schoett
>
>