NTLM Authentication in a Web Application (java)

Question

I am using following filter to enable NTLM Authentication, in my web-application.

I get the windows browser authentication prompt. It is working fine. Except for th

Answer 1

As Edward said, just extracting a name from a type 3 (response) NTLM message doesn't say anything about whether the client who generated it was entitled to do so.

NTLM is not like Kerberos, where there's a signed token that a service can validate on its own; you have to make a connection to the domain controller every time to ask it whether the token is legit. Implementing an MSRPC connection to check an NTLM token is really hard work.

In the old days you could do this in JCIFS using a jcifs.smb.SmbSession, and jcifs.http.NtlmHttpFilter would do just that for you. However, this only works for NTLMv1, which is old, insecure, and increasingly unlikely to be used for anything. (I believe 'ntlm-java' linked above is also NTLMv1-only.)

Try the ntlmv2auth project.

NTLM-over-HTTP is enough of a pain in the arse that it's usually better to use any other method of authentication available to you.

Answer 2

You're receiving the Type 3 message, but you're not doing anything with it except printing out the details. You need to validate the client's response at this point and either send a 200 (if authorized) or a 401 (if not.)

However the Type 1 message you delivered is made up of static bytes and - while it will induce a client to send back a response - is mostly meaningless. It's not impossible to implement a complete NTLM authentication stack yourself, but the code you have will simply not work.

You could investigate an NTLM Solution for Java, or (assuming you're on Windows) you could call the necessary authentication functions like AcceptSecurityContext with JNI.