Raible Designs

« Using JasperReports... | Main | Maven Console and... »

Thursday January 20, 2005

JCIFS and jWebUnit On my current project, we're using JCIFS to integrate our application authentication process with NT Domain logins. While I found it quite easy to integrate, the one issue I found is I couldn't replicate the login process in a jWebUnit test. I tried setting the WWW-Authentication header to NTLM, but couldn't get it to work. The solution I ended up using is to subclass the NtlmHttpFilter and disable authentication when the User-Agent is "httpunit".


public class LoginFilter extends NtlmHttpFilter {



  public void doFilter(ServletRequest req, ServletResponse res,

                         FilterChain chain)

    throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;

        String userAgent = request.getHeader("user-agent");



        // prompt for login, except when jWebUnit is used

        if (userAgent == null || !userAgent.startsWith("httpunit")) {

            super.doFilter(req, res, chain);

            return;

        }



        chain.doFilter(req, res);

    }

}

Hopefully this is useful for others. If you've managed to get regular jWebUnit authentication working with NTLM, I'm all ears.

Posted in Java at Jan 20 2005, 09:34:41 AM MST 16 Comments

Comments:

Doesn't this cause a security hole or am I missing something?

Posted by 130.234.179.86 on January 20, 2005 at 10:13 AM MST #

Yes, but in my situation, you'd have to get through the corporate firewall, figure out the URL, fake the user-agent, etc. to "hack" the system. Like I said, I'd rather do a "real" login with NTLM and jWebUnit, but I couldn't get it working. Another option would be to parse/comment out the filter-mapping in web.xml, but this seemed easier.

Posted by Matt Raible on January 20, 2005 at 10:22 AM MST #

I understand where you're coming from Matt, but it does sound a little silly to diable the security of an application so a test can run. Wouldn't it be better to fix jwebunit instead? I've never used it, but it would seem to be a bug in jwebunit to not allow NTLM authentication.

Posted by Ben C on January 21, 2005 at 08:08 AM MST #

A somewhat cumbersome option to deal with the security issue would be to set a system property that indicates whether it's a test deployment of the app. Then, only when that property is set will the filter do the httpunit uagent check, but not in production.

Posted by Todd Huss on January 21, 2005 at 11:07 AM MST #

Instead of using JCIFS directly, a much better way is to use Jakarta-Commons-VFS: http://jakarta.apache.org/commons/sandbox/vfs. It has support for JCIFS too, as a "virtual file system". It can support a lot of file types : http://jakarta.apache.org/commons/sandbox/vfs/filesystems.html, and all of them in the same manner, with the same API.

Posted by Ahmed Mohombe on January 25, 2005 at 02:47 AM MST #

Matt, <p/> If jWebUnit uses the URL class to manage URLs, install the NTLM HTTP client wrapper as described here: <p/> http://jcifs.samba.org/src/docs/httpclient.html <p/> Mike

Posted by Mike on January 28, 2005 at 02:16 AM MST #

Hi, I'm currently running a web site with JCIFS and its running correclty. But I want some users that are not on the domain (contractor) to connect on the web site by a login page where they will enter user / pwd stored in a database. I just want to know if it can be done and what do I have to do. Thanks

Posted by Jonathan Dubois on March 07, 2005 at 10:45 AM MST #

Jonathan,

I don't think this is possible with JCIFS. It might be possible with Acegi Security. You can chain authentication providers, and you could have a JAAS one that talks to NT and then another one that talks to a database.

Posted by Matt Raible on March 07, 2005 at 11:17 AM MST #

Thank you, I'll check what I can do.

Posted by Jonathan Dubois on March 07, 2005 at 11:28 AM MST #

Hi, Is it possible with jCIFS to get the user-groups? Can someone direct me to the appropriate way. Regards aks

Posted by Vicky on March 31, 2005 at 12:35 AM MST #

Vicky - you should be able to do request.isUserInRole(NT_GROUP_NAME). Have you tried that? I'm not much of an expert on JCIFS - you might want to search (or join) their mailing list.

Posted by Matt Raible on April 03, 2005 at 02:56 PM MDT #

Hi, I am using appfuse 1.7. Is it possible to "integrate application authentication process with NT Domain logins" with acegi? Do I have to integrate JCIFS then? Seems that this kind of integration is not possible with the "proxy system" solution CAS which is supported by acegi security.

Posted by Rene Guenther on August 08, 2005 at 06:00 AM MDT #

I was wrong: of course I am using appfuse 1.8.

Posted by Rene Guenther on August 08, 2005 at 06:13 AM MDT #

Rene - it looks like the Acegi Developers are planning on NT Domain authentication support as part of version 1.0. I found this by searching the Spring Forums.

Posted by Matt Raible on August 08, 2005 at 09:50 AM MDT #

Thanks Matt. I think, I really can wait for 1.0.

Posted by Rene Guenther on August 09, 2005 at 11:19 AM MDT #

Dear All,

I am having problem setting up the session replication for JCIFS on JBoss Clustering.

Here is my environment:

Web Server: 1 X Apache 2.2.8 (mod_jk 1.2.26 for load balancing) on SUN Sparc T2000 Solaris 10 Application Server: 2 X JBoss 4.2.2 GA (Clustering) on SUN Sparc T2000 Solaris 10 JCIFS: 1.2.18

The error I have is that JCIFS.UniAddress is not Serializable and not able to replicate the session for it.

I have read some of articles on-line and it all mentioned about not able to get the load-balance/clustering to work properly on JCIFS.

Is there any way to make it work?

Posted by Eric on March 25, 2008 at 08:58 AM MDT #

Search This Site

Recent Entries

Tag Cloud

Navigation

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« January 2009
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Today