NTLM authentication

Following the previous article, we now perform NTLM authentication with a Java Web app running on non-Windows system. In other words, the browser (IE) automatically tells the name of the logged windows user to the Web Application, in a “secure way”.

Sometimes developers like me lost the focus, trying to re-invent the wheel… Just be smart, and look around, 90% of the things you are trying to do, someone have already done… Probably better!

So, we need the jcifs library to perform the job, that implement CIFS/SMB protocol in Java and have an extension for NTLM. The documentation warns you that NTLM is considered insecure (probably for the DES encryption used) and you need NTLMv2 to have better security. If you want NTLMv2, you have to use another library that is Jespa, but this is free only for a limited number of user (25) so i choose NTLMv1 with jCIFS that is reasonably secure in my environment.

So put jcifs-1.3.12.jar into the lib dir of your web app, then add the following line to your web.xml

This lines tell the container to use a filter (jcifs.http.NtlmHttpFilter) for every documents (“/*” as url-pattern) inside this web app. For the domain controller you have to put the hostname or ip of a Windows Samba server or Active Directory, i am not sure about that, in my working test i used the server who shares directory in my intranet (for example “\\this-is-the-name\network-dir” ).

Now with a simple jsp we can print the name of the authenticated user connecting to our web-app:

This works automatically only with Internet Explorer as the browser, firefox ask for credentials that need to be valid windows account to show the pages.

Like cited in the jCIFS documentation we can configure the filter to ask permission for a particularly shared directory, controlling web access to our web app with the permission of the shared directory.

Hope this helps!