I am using following filter to enable NTLM Authentication, in my web-application.
I get the windows browser authentication prompt.
It is working fine. Except for the fact that - I am unable to tell if Authentication Succeeded or Failed !!! *There are no errors in either case.* In every case username(correct or otherwise), workstation etc. is printed.
package com.test;
import java.io.IOException;
import java.io.PrintStream;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jcifs.ntlmssp.Type3Message;
import com.sun.xml.internal.ws.util.StringUtils;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class NTLMUserFilter implements Filter {
private FilterConfig filterConfig = null;
private String userDomain = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String username = null;
//first, get the user agent
String useragent = request.getHeader("user-agent");
//if you're using IE, you can continue
if ((useragent.indexOf("MSIE") > -1)){
//Always do the ntlm check (for IE POST back)
try{
String auth = request.getHeader("Authorization");
if (auth == null)
{
response.setHeader("WWW-Authenticate", "NTLM");
response.setStatus(response.SC_UNAUTHORIZED);
response.setContentLength(0) ;
response.flushBuffer();
return;
}
if (auth.startsWith("NTLM "))
{
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1)
{
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setHeader("WWW-Authenticate", "NTLM " + new sun.misc.BASE64Encoder().encodeBuffer(msg1));
response.setStatus(response.SC_UNAUTHORIZED);
response.setContentLength(0) ;
response.flushBuffer();
return;
}
else if (msg[8] == 3)
{
//Did Authentication Succeed? All this is always printed.
Type3Message type3 = new Type3Message(msg);
System.out.println("osUser: " + type3.getUser());
System.out.println("osRemoteHost: + " + type3.getWorkstation());
System.out.println("osDomain: " + type3.getDomain());
}
}
}catch(Exception e){
System.out.println(e) ;
}
//System.out.println("Suc);
}
try {
chain.doFilter(req, res);
} catch (IOException e) {
System.out.println(e);
} catch (ServletException e) {
System.out.println(e);
}
}
public void destroy()
{
this.filterConfig = null;
}
}
The web.xml is simple:
ntlmFilter
com.test.NTLMUserFilter
ntlmFilter
/*
解决方案
You're receiving the Type 3 message, but you're not doing anything with it except printing out the details. You need to validate the client's response at this point and either send a 200 (if authorized) or a 401 (if not.)
However the Type 1 message you delivered is made up of static bytes and - while it will induce a client to send back a response - is mostly meaningless. It's not impossible to implement a complete NTLM authentication stack yourself, but the code you have will simply not work.
You could investigate an NTLM Solution for Java, or (assuming you're on Windows) you could call the necessary authentication functions like AcceptSecurityContext with JNI.
426
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
