You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sue Roe <su...@cmi-plc.com> on 2005/01/27 12:08:38 UTC
IIS, Tomcat and NTLM Authentication
Hi
We have just upgraded our server software, running a Java application, as
follows:
From:
IIS 4, Tomcat 4.1 - both running on same server - NT4
To:
IIS 5, Tomcat 4.1 - both running on same server - Windows 2000
The application is to be available to all staff, either over the Intranet
or the Internet.
An issue has arisen with NTLM authentication. We extract a users
domain\username details using NTLM Authentication, the code is listed at the
bottom of this e-mail. This mechanism worked 100% on the old configuration.
Unfortunately with the IIS server upgrade and change in OS the
authentication details do not seem to be being picked up in two scenarios.
1. IE 6, unless Enable Integrated Windows Authentication is disabled.
We don't really want Browser settings to affect access.
2. IE 5! (We are trying to force client sites to upgrade to IE6, but
still why does the NTLM Authentication break down here?)
The IIS settings are as follow:
Default Web Site:
Anonymous Access - OFF
Basic Authentication - ON
Integrated Windows Authentication - ON
Jakarta Virtual Directory:
Anonymous Access - ON
Basic Authentication - ON
Integrated Windows Authentication - ON
If anyone has had any similar experiences or knows of any other mechanism to
retrieve domain/username, it would be great to hear.
Thanks
Sue
Code to Extract domain/user Details
****************************************************************************
***********
String auth = request.getHeader("Authorization");
if (auth == null) {
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
return;
}
String domain = "";
String username = "";
if (auth.startsWith("NTLM ")) {
byte[] msg = new
sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1){
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
(byte)'M', (byte)'S', (byte)'S', (byte)'P',
z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z,
(byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
(byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setHeader("WWW-Authenticate", "NTLM " +
new sun.misc.BASE64Encoder().encodeBuffer(msg1));
response.sendError(response.SC_UNAUTHORIZED);
return;
} else if (msg[8] == 3) {
off = 30;
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
String remoteHost = new String(msg, offset, length);
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
domain = new String(msg, offset, length);
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
username = new String(msg, offset, length);
String employeeNTLogin = domain + "\\" + username;
context.log("User NT Login: "+ employeeNTLogin + ":: " +
new Date(System.currentTimeMillis()));
session.setAttribute (Constants.DATABASE,
context.getAttribute(Constants.DATABASE));
Employee userEmployee=null;
// 1. Get Employee Object for NT Login of User & Roles
try {
userEmployee =
myEmployeeDAO_Pool.getDetailsByNTLogin(employeeNTLogin);
} catch (DAOException daoex){
}
session.setAttribute(Constants.USER_EMPLOYEE,
userEmployee);
etc etc
****************************************************************************
************************
**********************************************************************
***Disclaimer***
The contents of this Email may be privileged and are confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
Should you wish to use Email as a mode of communication, CMi plc and its subsidiaries are unable to guarantee the security of Email content outside of our own computer systems.
This footnote also confirms that this e-mail message has been swept by Mimesweeper for the presence of computer viruses. Whilst we run anti-virus software, you are solely responsible for ensuring that any e-mail or attachment you receive is virus free. We disclaim any liability for any damage you suffer as a consequence of receiving any virus.
Checkmate International plc (CMi)
Registered in England No 1899857
Registered Office 4th Floor, 35 New Bridge Street, London, EC4V 6BW
Head Office Tele + 44 (0) 1993 885600
Head Office Fax + 44 (0) 1993 885603
Web Site : www.cmi-plc.com
**********************************************************************