NTLM Authentication with Servlets

[josenyimi]

Hello,

I'm working in a large corporation. Our Customer Service Dept is using a lot of Intranet web applications and for each webapp the user needs to type a username and password (if they still remember the corresponding one ).

A colleague told me about NTLM recently.
I have found it very interesting in the context of Intranet environment where all users are using IE browser.
Users don't need to type username and password anymore, they will be authenticated seamlessly via their NT login (Signle Sign On).

Below the final code result from this link discussion:
http://www.jguru.com/faq/viewquestion.jsp?EID=393110
and an interesting documentation about NTLM
http://www.innovation.ch/java/ntlm.html

Code:

String auth = request.getHeader("Authorization");
if (auth == null)
{
  response.setStatus(response.SC_UNAUTHORIZED);
  response.setHeader("WWW-Authenticate", "NTLM");
  response.flushBuffer();
  return;
}
if (auth.startsWith("NTLM "))
{
  byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
  int off = 0, length, offset;
  if (msg[8] == 1)
  {
    byte z = 0;
    byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', 
      z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, 
      (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
      (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
    response.setHeader("WWW-Authenticate", "NTLM " + 
       new sun.misc.BASE64Encoder().encodeBuffer(msg1));
    response.sendError(response.SC_UNAUTHORIZED);
    return;
  }
  else if (msg[8] == 3)
  {
    off = 30;

    length = msg[off+17]*256 + msg[off+16];
    offset = msg[off+19]*256 + msg[off+18];
    String remoteHost = new String(msg, offset, length);

    length = msg[off+1]*256 + msg[off];
    offset = msg[off+3]*256 + msg[off+2];
    String domain = new String(msg, offset, length);

    length = msg[off+9]*256 + msg[off+8];
    offset = msg[off+11]*256 + msg[off+10];
    String username = new String(msg, offset, length);

    out.println&#40;"Username&#58;"+username+"<BR>"&#41;;
    out.println&#40;"RemoteHost&#58;"+remoteHost+"<BR>"&#41;;
    out.println&#40;"Domain&#58;"+domain+"<BR>"&#41;;
  &#125;
&#125;

Is there any similar support from Acegi ?
Or how will you use NTLM in Acegi ?

I'm new to all of this area.
Sorry if my question is unclear or has an obvious answer.

Regards,

José.

[Ben Alex]

Acegi Security does not support NTLM. The fact it's not officially documented means any future support would be fragile at best.

The key building blocks to achieve authentication via NTLM already exist in Acegi Security. If you take a look at how BASIC authentication is handled, it is quite similar. As such, if you had a need for NTLM I would encourage you to have a go at implementing it. If you succeed, please consider providing the code back to the project and I will add it to the sandbox (probably then core after it's tested).

[Rexxe]

José,

NTLM is slowly becoming deprecated as Microsoft is definitely pushing forward their use of Kerberos (and of course it's not exactly the same as the MIT version...big shock). I'd suggest that if you're going to write custom authentication schemes that you take a look at Microsoft's implementation of Kerberos. You will be particularly interested in SPNEGO. I don't know what servlet engine you are using but take a look at http://appliedcrypto.com/index.html?...at_spnego.html for an article on how to implement it with Tomcat. There is also a library you can purchase that will allow for SSO with Active Directory through Kerberos: http://www.wedgetail.com/jcsi/kerberos/index.html


--Rexxe

[stueccles]

Ive used

http://jcifs.samba.org/src/docs/ntlmhttpauth.html

very successfully in the past.