|
Home > Archive > WebSphere Application Server > March 2004 > Win2K NTLM authentification
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win2K NTLM authentification
|
|
| Martin Jonik 2004-01-19, 2:51 pm |
| Iam using Websphere 4.0.3 and I would like to use NTLM authentification.
I am not connected to an Win2K Active Directory but want to get the
username,
workstation and domainname of the users. Is it possible to configure the
Websphere
Application Server (not the apache with mod_ntlm) to use the Windows NTLM
authentification?
Thanks in advance
Martin Jonik
| |
|
| No (AFAIK). WebSphere supports form-based, basic and digest authentication,
but not NTLM.
By the way, username, workstation and domain are simply base64-encoded in
the response the client provides. So, it is possible to write a servlet to
NTLM challenge the browser and retrieve this information, but you can't
trust it as you have no means to validate the user password. A description
of NTLM is available at http://www.innovation.ch/java/ntlm.html.
There are several Java (and Java with jni) solutions to perform NTLM
authentication (see http://www.luigidragone.com/networking/ntlm.html), but
I'm not sure you can use them server-side, as what you want, if I understand
correcly, is validate given credentials and not build valid client
credentials.
Ben.
| |
| Martin Jonik 2004-01-19, 2:51 pm |
| Thanks for your response.
I already tried to use a servlet like you described.
I found some sourcecode on jguru.com.
The servlet shows me the username, domain name and workstation name.
But unfortunately, after this action, the Websphere Server doesen't
accept HTML formular posts any longer.
After the Internet Explorer went through the NTLM
servlet and sent the information the servlet redirects to a jsp
page which contains a formular, some fields and a submit button.
By submitting the form using the POST method the Websphere Server
cannot get the parameters by using the request.getParameter() method.
The result is always null. By changing the submit method to GET everything
works fine. The problem only appears with Internet Explorer (all versions)
and using that NTLM servlet.
On this account I'd like to configure the server itsself to do the NTLM
authentication.
Perhapst anyone of you knows why the Webspehre Server doesen't accept
formular post any longer when the browser has accessed my servlet.
Here is the code:
########################################
####################################
##########
import javax.servlet.*;
import javax.servlet.http.*;
import javax.sql.*;
import java.io.*;
public class Ntlmauth extends HttpServlet
{
final private static byte[] CHALLENGE_MESSAGE =
{(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S',
(byte)'P', 0,
2, 0, 0, 0, 0, 0, 0, 0,
40, 0, 0, 0, 1, (byte)130, 0, 0,
0, 2, 2, 2, 0, 0, 0, 0, // nonce
0, 0, 0, 0, 0, 0, 0, 0};
/**
* HTTP request processing
*/
protected void service(HttpServletRequest request, HttpServletResponse
response)
throws IOException, ServletException
{
try
{
PrintWriter out = response.getWriter();
String auth = request.getHeader("Authorization");
if (auth == null)
{
response.setContentLength(0);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
response.flushBuffer();
return;
}
if (!auth.startsWith("NTLM ")) return;
byte[] msg = new
sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
// Step 1: Negotiation message received
if(msg[8] == 1)
{
// Send challenge message (Step 2)
response.setContentLength(2);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM " + new
sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE));
out.println(" ");
response.flushBuffer();
return;
}
// Step 3: Authentication message received
if(msg[8] == 3)
{
int off = 30;
int length, offset;
length = (msg[off+1]<<8) + msg[off];
offset = (msg[off+3]<<8) + msg[off+2];
String domain = new String(msg, offset, length);
length = (msg[off+9]<<8) + msg[off+8];
offset = (msg[off+11]<<8) + msg[off+10];
String user = new String(msg, offset, length);
length = (msg[off+17]<<8) + msg[off+16];
offset = (msg[off+19]<<8) + msg[off+18];
String ws = new String(msg, offset, length);
// Remove blanks
domain = removeBlanks(domain);
user = removeBlanks(user);
ws = removeBlanks(ws);
System.out.println(user);
System.out.println(domain);
System.out.println(ws);
String redirect_url = "accessdenied.jsp";
if (user.equals("mj")) redirect_url = "formular.jsp"; // <-mj is my
winnt login name
// redirect
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
response.sendRedirect(redirect_url);
response.flushBuffer();
}
}
catch(Throwable ex)
{
ex.printStackTrace();
}
}
/**
* Removes non-printable characters from a string
*/
private String removeBlanks(String s)
{
StringBuffer sb = new StringBuffer();
for(int i = 0; i < s.length(); i++)
{
char c = s.charAt(i);
if(c > ' ')
sb.append(c);
}
return sb.toString();
}
}
########################################
####################################
##########
"Ben_" <reply@newsgroup.com> schrieb im Newsbeitrag
news:bl9ive$50n8$1@news.boulder.ibm.com...quote:
> No (AFAIK). WebSphere supports form-based, basic and digest
authentication,quote:
> but not NTLM.
>
> By the way, username, workstation and domain are simply base64-encoded in
> the response the client provides. So, it is possible to write a servlet to
> NTLM challenge the browser and retrieve this information, but you can't
> trust it as you have no means to validate the user password. A description
> of NTLM is available at http://www.innovation.ch/java/ntlm.html.
>
> There are several Java (and Java with jni) solutions to perform NTLM
> authentication (see http://www.luigidragone.com/networking/ntlm.html), but
> I'm not sure you can use them server-side, as what you want, if I
understandquote:
> correcly, is validate given credentials and not build valid client
> credentials.
>
> Ben.
>
>
| |
| edeniko 2004-03-25, 10:34 am |
| sorry
"Martin Jonik" <martin.jonik@wolf-telcom.de> wrote in message
news:blbptg$lco$04$1@news.t-online.com...
> Thanks for your response.
> I already tried to use a servlet like you described.
> I found some sourcecode on jguru.com.
> The servlet shows me the username, domain name and workstation name.
> But unfortunately, after this action, the Websphere Server doesen't
> accept HTML formular posts any longer.
> After the Internet Explorer went through the NTLM
> servlet and sent the information the servlet redirects to a jsp
> page which contains a formular, some fields and a submit button.
> By submitting the form using the POST method the Websphere Server
> cannot get the parameters by using the request.getParameter() method.
> The result is always null. By changing the submit method to GET everything
> works fine. The problem only appears with Internet Explorer (all versions)
> and using that NTLM servlet.
> On this account I'd like to configure the server itsself to do the NTLM
> authentication.
>
> Perhapst anyone of you knows why the Webspehre Server doesen't accept
> formular post any longer when the browser has accessed my servlet.
>
> Here is the code:
>
>
>
########################################
####################################[col
or=darkred]
> ##########
> import javax.servlet.*;
> import javax.servlet.http.*;
> import javax.sql.*;
> import java.io.*;
>
>
> public class Ntlmauth extends HttpServlet
> {
> final private static byte[] CHALLENGE_MESSAGE =
> {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S',
> (byte)'P', 0,
> 2, 0, 0, 0, 0, 0, 0, 0,
> 40, 0, 0, 0, 1, (byte)130, 0, 0,
> 0, 2, 2, 2, 0, 0, 0, 0, // nonce
> 0, 0, 0, 0, 0, 0, 0, 0};
>
> /**
> * HTTP request processing
> */
> protected void service(HttpServletRequest request, HttpServletResponse
> response)
> throws IOException, ServletException
> {
>
>
>
>
> try
> {
>
> PrintWriter out = response.getWriter();
>
> String auth = request.getHeader("Authorization");
>
> if (auth == null)
> {
> response.setContentLength(0);
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "NTLM");
> response.flushBuffer();
> return;
> }
>
> if (!auth.startsWith("NTLM ")) return;
>
> byte[] msg = new
> sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
>
> // Step 1: Negotiation message received
> if(msg[8] == 1)
> {
> // Send challenge message (Step 2)
> response.setContentLength(2);
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "NTLM " + new
> sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE));
> out.println(" ");
> response.flushBuffer();
> return;
> }
>
> // Step 3: Authentication message received
> if(msg[8] == 3)
> {
> int off = 30;
> int length, offset;
>
> length = (msg[off+1]<<8) + msg[off];
> offset = (msg[off+3]<<8) + msg[off+2];
> String domain = new String(msg, offset, length);
>
> length = (msg[off+9]<<8) + msg[off+8];
> offset = (msg[off+11]<<8) + msg[off+10];
> String user = new String(msg, offset, length);
>
> length = (msg[off+17]<<8) + msg[off+16];
> offset = (msg[off+19]<<8) + msg[off+18];
> String ws = new String(msg, offset, length);
>
> // Remove blanks
> domain = removeBlanks(domain);
> user = removeBlanks(user);
> ws = removeBlanks(ws);
>
>
> System.out.println(user);
> System.out.println(domain);
> System.out.println(ws);
>
> String redirect_url = "accessdenied.jsp";
>
> if (user.equals("mj")) redirect_url = "formular.jsp"; // <-mj is my
> winnt login name
>
> // redirect
> response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
> response.sendRedirect(redirect_url);
> response.flushBuffer();
>
> }
>
> }
> catch(Throwable ex)
> {
> ex.printStackTrace();
> }
> }
>
>
>
>
>
> /**
> * Removes non-printable characters from a string
> */
> private String removeBlanks(String s)
> {
> StringBuffer sb = new StringBuffer();
> for(int i = 0; i < s.length(); i++)
> {
> char c = s.charAt(i);
> if(c > ' ')
> sb.append(c);
> }
>
> return sb.toString();
> }
>
> }
>[/color]
########################################
####################################[col
or=darkred]
> ##########
>
>
>
>
>
>
>
> "Ben_" <reply@newsgroup.com> schrieb im Newsbeitrag
> news:bl9ive$50n8$1@news.boulder.ibm.com...
> authentication,
in
to[color=darkred]
description[color=darkred]
but[color=darkred]
> understand
>
>
|
|
|
|
|