JCIFS and jWebUnit

On my current project, we're using JCIFS to integrate our application authentication process with NT Domain logins. While I found it quite easy to integrate, the one issue I found is I couldn't replicate the login process in a jWebUnit test. I tried setting the WWW-Authentication header to NTLM, but couldn't get it to work. The solution I ended up using is to subclass the NtlmHttpFilter and disable authentication when the User-Agent is "httpunit".

public class LoginFilter extends NtlmHttpFilter {

  public void doFilter(ServletRequest req, ServletResponse res,
                         FilterChain chain)
    throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequestreq;
        String userAgent = request.getHeader("user-agent");

        // prompt for login, except when jWebUnit is used
        if (userAgent == null || !userAgent.startsWith("httpunit")) {
            super.doFilter(req, res, chain);
            return;
        }

        chain.doFilter(req, res);
    }
}

Hopefully this is useful for others. If you've managed to get regular jWebUnit authentication working with NTLM, I'm all ears.

Posted in Java at Jan 20 2005, 09:34:41 AM MST 16 Comments
Comments:

Doesn't this cause a security hole or am I missing something?

Posted by 130.234.179.86 on January 20, 2005 at 11:13 AM MST #

Yes, but in my situation, you'd have to get through the corporate firewall, figure out the URL, fake the user-agent, etc. to "hack" the system. Like I said, I'd rather do a "real" login with NTLM and jWebUnit, but I couldn't get it working. Another option would be to parse/comment out the filter-mapping in web.xml, but this seemed easier.

Posted by Matt Raible on January 20, 2005 at 11:22 AM MST #

I understand where you're coming from Matt, but it does sound a little silly to diable the security of an application so a test can run. Wouldn't it be better to fix jwebunit instead? I've never used it, but it would seem to be a bug in jwebunit to not allow NTLM authentication.

Posted by Ben C on January 21, 2005 at 09:08 AM MST #

A somewhat cumbersome option to deal with the security issue would be to set a system property that indicates whether it's a test deployment of the app. Then, only when that property is set will the filter do the httpunit uagent check, but not in production.

Posted by Todd Huss on January 21, 2005 at 12:07 PM MST #

Instead of using JCIFS directly, a much better way is to use Jakarta-Commons-VFS: http://jakarta.apache.org/commons/sandbox/vfs. It has support for JCIFS too, as a "virtual file system". It can support a lot of file types : http://jakarta.apache.org/commons/sandbox/vfs/filesystems.html, and all of them in the same manner, with the same API.

Posted by Ahmed Mohombe on January 25, 2005 at 03:47 AM MST #

Matt, <p/> If jWebUnit uses the URL class to manage URLs, install the NTLM HTTP client wrapper as described here: <p/> http://jcifs.samba.org/src/docs/httpclient.html <p/> Mike

Posted by Mike on January 28, 2005 at 03:16 AM MST #

Hi, I'm currently running a web site with JCIFS and its running correclty. But I want some users that are not on the domain (contractor) to connect on the web site by a login page where they will enter user / pwd stored in a database. I just want to know if it can be done and what do I have to do. Thanks

Posted by Jonathan Dubois on March 07, 2005 at 11:45 AM MST #

Jonathan,

I don't think this is possible with JCIFS. It might be possible with Acegi Security. You can chain authentication providers, and you could have a JAAS one that talks to NT and then another one that talks to a database.

Posted by Matt Raible on March 07, 2005 at 12:17 PM MST #

Thank you, I'll check what I can do.

Posted by Jonathan Dubois on March 07, 2005 at 12:28 PM MST #

Hi, Is it possible with jCIFS to get the user-groups? Can someone direct me to the appropriate way. Regards aks

Posted by Vicky on March 31, 2005 at 01:35 AM MST #

Vicky - you should be able to do request.isUserInRole(NT_GROUP_NAME). Have you tried that? I'm not much of an expert on JCIFS - you might want to search (or join) their mailing list.

Posted by Matt Raible on April 03, 2005 at 02:56 PM MDT #

Hi, I am using appfuse 1.7. Is it possible to "integrate application authentication process with NT Domain logins" with acegi? Do I have to integrate JCIFS then? Seems that this kind of integration is not possible with the "proxy system" solution CAS which is supported by acegi security.

Posted by Rene Guenther on August 08, 2005 at 06:00 AM MDT #

I was wrong: of course I am using appfuse 1.8.

Posted by Rene Guenther on August 08, 2005 at 06:13 AM MDT #

Rene - it looks like the Acegi Developers are planning on NT Domain authentication support as part of version 1.0. I found this by searching the Spring Forums.

Posted by Matt Raible on August 08, 2005 at 09:50 AM MDT #

Thanks Matt. I think, I really can wait for 1.0.

Posted by Rene Guenther on August 09, 2005 at 11:19 AM MDT #

Dear All,

I am having problem setting up the session replication for JCIFS on JBoss Clustering.

Here is my environment:

Web Server: 1 X Apache 2.2.8 (mod_jk 1.2.26 for load balancing) on SUN Sparc T2000 Solaris 10 Application Server: 2 X JBoss 4.2.2 GA (Clustering) on SUN Sparc T2000 Solaris 10 JCIFS: 1.2.18

The error I have is that JCIFS.UniAddress is not Serializable and not able to replicate the session for it.

I have read some of articles on-line and it all mentioned about not able to get the load-balance/clustering to work properly on JCIFS.

Is there any way to make it work?

Posted by Eric on March 25, 2008 at 08:58 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed