getting the password after successful NTLM HTTP Filter validation

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

getting the password after successful NTLM HTTP Filter validation

Ward, Ian

I am adding Windows domain SSO to my Java app but am using an existing product underneath an it performs it’s own validation.

 

It says in the documentation on the JCIFS site that…

 

The password hashes generated when they logged on to their workstation will be negotiated during the initial request for a session, passed through jCIFS, and validated against a PDC or BDC. This also makes the users domain, username, and password available for managing session information, profiles, preferences, etc.

 

I have found how to get the user’s name and domain using ‘req.getRemoteUser();’ but cannot see how to get the password… is this possible?

 

If not (as I suspect) is it possible to at least get a password hash which could then be validated by the underlying product in a custom validation routine? Or do I have to generate one myself?

 

Cheers

 

Ian Ward

Reply | Threaded
Open this post in threaded view
|

Re: getting the password after successful NTLM HTTP Filter validation

Richard Caper
The hashes are not really available to JCifs, just the responses
(formulated from the hash and the challenge sent by the server).  In
the Windows world the hash is a password-equivalent.  So the server
sends a challenge which the client combines with the password hash to
get the response; the server does the same calculation to verify they
know the password.

Unfortunately the response will be different for each challenge, so
there's not really a way to store the hash and use that in your app.

On 6/27/06, Ward, Ian <[hidden email]> wrote:

>
>
>
>
> I am adding Windows domain SSO to my Java app but am using an existing
> product underneath an it performs it's own validation.
>
>
>
> It says in the documentation on the JCIFS site that…
>
>
>
> The password hashes generated when they logged on to their workstation will
> be negotiated during the initial request for a session, passed through
> jCIFS, and validated against a PDC or BDC. This also makes the users domain,
> username, and password available for managing session information, profiles,
> preferences, etc.
>
>
>
> I have found how to get the user's name and domain using
> 'req.getRemoteUser();' but cannot see how to get the password… is this
> possible?
>
>
>
> If not (as I suspect) is it possible to at least get a password hash which
> could then be validated by the underlying product in a custom validation
> routine? Or do I have to generate one myself?
>
>
>
> Cheers
>
>
>
> Ian Ward
Reply | Threaded
Open this post in threaded view
|

RE: getting the password after successful NTLM HTTP Filter validation

Ward, Ian
In reply to this post by Ward, Ian
Thanks for the response, it was what I thought.

I am therefore going to have the web app generate a temporary, pseudo
random, timestamped password, store it and pass it to the application.
The application will then check if it was stored (and within a timeout
period) and delete it (to avoid repeat attacks).

Does this make sense to you? Is there an easier way that I'm missing?
Where do you think would be the best place to store the temporary
password?

Cheers

Ian

-----Mensaje original-----
De: Richard Caper [mailto:[hidden email]]
Enviado el: martes, 27 de junio de 2006 16:46
Para: Ward, Ian
CC: [hidden email]
Asunto: Re: [jcifs] getting the password after successful NTLM HTTP
Filter validation

The hashes are not really available to JCifs, just the responses
(formulated from the hash and the challenge sent by the server).  In
the Windows world the hash is a password-equivalent.  So the server
sends a challenge which the client combines with the password hash to
get the response; the server does the same calculation to verify they
know the password.

Unfortunately the response will be different for each challenge, so
there's not really a way to store the hash and use that in your app.

On 6/27/06, Ward, Ian <[hidden email]> wrote:

>
>
>
>
> I am adding Windows domain SSO to my Java app but am using an existing
> product underneath an it performs it's own validation.
>
>
>
> It says in the documentation on the JCIFS site that...
>
>
>
> The password hashes generated when they logged on to their workstation
will
> be negotiated during the initial request for a session, passed through
> jCIFS, and validated against a PDC or BDC. This also makes the users
domain,
> username, and password available for managing session information,
profiles,
> preferences, etc.
>
>
>
> I have found how to get the user's name and domain using
> 'req.getRemoteUser();' but cannot see how to get the password... is
this
> possible?
>
>
>
> If not (as I suspect) is it possible to at least get a password hash
which
> could then be validated by the underlying product in a custom
validation
> routine? Or do I have to generate one myself?
>
>
>
> Cheers
>
>
>
> Ian Ward