dbasplus
asked on
Change tomcat filter from NTLMv1 to NTLMv2 or Kerberos
We have an old Application running on Tomcat 5.5 that uses a NTLMv1 filter to verify the users.
We need to upgrade the JAVA filter to use NTLMv2 or Kerberos.
The NTLM code from the filter is included below:
//NLTM Module here
String auth = request.getHeader("Authori zation");
if (auth == null)
{
response.setStatus(HttpSer vletRespon se.SC_UNAU THORIZED);
response.setHeader("WWW-Au thenticate ", "NTLM");
//response.flushBuffer();
LogManager.debug("First Authentication check failed",AuthenticationFilt er.class);
return;
}
if (auth.startsWith("NTLM"))
{
byte[] msg = new sun.misc.BASE64Decoder().d ecodeBuffe r(auth.sub string(5)) ;
LogManager.debug("NTLM response="+new String(msg, Charset.forName("ISO-8859- 1")),Authe nticationF ilter.clas s);
int off = 0, length, offset;
if (msg[8] == 1)
{
LogManager.debug("Second Authentication check failed",AuthenticationFilt er.class);
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setStatus(HttpSer vletRespon se.SC_UNAU THORIZED);
response.setHeader("WWW-Au thenticate ", "NTLM " + new sun.misc.BASE64Encoder().e ncodeBuffe r(msg1).tr im());
//response.flushBuffer();
//response.sendError(respo nse.SC_UNA UTHORIZED) ;
LogManager.debug("Sending unauthorized and flushing buffer",AuthenticationFilt er.class);
return;
}
else if (msg[8] == 3)
{
LogManager.debug("Third Authentication check passed",AuthenticationFilt er.class);
off = 30;
//get details
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
remoteHost = cleanString(new String(msg, offset, length));
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
domain = cleanString(new String(msg, offset, length));
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
username = cleanString(new String(msg, offset, length));
LogManager.info(new StringBuilder("User [").append(username).appen d("] NTLM Authenticated...domain["). append(dom ain).appen d("] RemoteHost: [").append(remoteHost).app end("]").t oString(), Authentica tionFilter .class);
//Userid check here
We need to upgrade the JAVA filter to use NTLMv2 or Kerberos.
The NTLM code from the filter is included below:
//NLTM Module here
String auth = request.getHeader("Authori
if (auth == null)
{
response.setStatus(HttpSer
response.setHeader("WWW-Au
//response.flushBuffer();
LogManager.debug("First Authentication check failed",AuthenticationFilt
return;
}
if (auth.startsWith("NTLM"))
{
byte[] msg = new sun.misc.BASE64Decoder().d
LogManager.debug("NTLM response="+new String(msg, Charset.forName("ISO-8859-
int off = 0, length, offset;
if (msg[8] == 1)
{
LogManager.debug("Second Authentication check failed",AuthenticationFilt
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setStatus(HttpSer
response.setHeader("WWW-Au
//response.flushBuffer();
//response.sendError(respo
LogManager.debug("Sending unauthorized and flushing buffer",AuthenticationFilt
return;
}
else if (msg[8] == 3)
{
LogManager.debug("Third Authentication check passed",AuthenticationFilt
off = 30;
//get details
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
remoteHost = cleanString(new String(msg, offset, length));
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
domain = cleanString(new String(msg, offset, length));
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
username = cleanString(new String(msg, offset, length));
LogManager.info(new StringBuilder("User [").append(username).appen
//Userid check here
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
will suggest go for Kerberos (need AD or LDAP directory store) if possible as compared to NTLM as the latter is weaker for v2 using HMAC-MD5. May want to check out http://spnego.sourceforge.net/spnego_tomcat.html tutorial to try to config Tomcat to use spnego. Some run through stated http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/
ASKER
Go with Waffle.
Add the jar files to the lib directory of the webapp.
Update the web.xml for the webapp (use the example from the Waffle website).
Thats it.
We had to remove the previous bit of code (above) that did the authentication as Waffle handles this amazingly well.
To just use NTLM (NTMLv1 or NTMLv2 what ever is available) change the protocol in the setup.
We tried countless other solutions and this was just too simple not to use. We had an old versions of Tomcat and Java that were also handles without updating. Thank you to all the people who contributed to these libraries.
Add the jar files to the lib directory of the webapp.
Update the web.xml for the webapp (use the example from the Waffle website).
Thats it.
We had to remove the previous bit of code (above) that did the authentication as Waffle handles this amazingly well.
To just use NTLM (NTMLv1 or NTMLv2 what ever is available) change the protocol in the setup.
We tried countless other solutions and this was just too simple not to use. We had an old versions of Tomcat and Java that were also handles without updating. Thank you to all the people who contributed to these libraries.