Link to home
Start Free TrialLog in
Avatar of sudheeral
sudheeral

asked on

NT Authentication problem

I have a problem when getting NT logged-in user.

I am using bellow code to get NT user id. When I access the web site using "http://PCNAME/..... " or "http://localhost/...", it's working fine.

But if I use IP address, browser prompts Usename/ password dialog box. I can enter any username/password there.(Not authenticate correctly).
(I am using a local server for testing)

Please help me on this problem.

private static final boolean authenticateUser(HttpServletRequest request, HttpServletResponse response)
throws Exception{

System.out.println("Inside authenticateUser()....................");
try {
String auth = request.getHeader("Authorization");

if (auth == null) {
response.setContentLength(0);
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
return false;
}

if (!auth.startsWith("NTLM ")) {
throw new Exception("authenticateUser:Cannot authenticate user");
}

byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));

// Step 1: Negotiation message received
if (msg[8] == 1) {
// Send challenge message (Step 2)
response.setContentLength(2);
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM " + new sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE));
return false;
}

// Step 3: Authentication message received
if (msg[8] == 3) {
int off = 30;
int length, offset;

length = (msg[off+1]<<8) + msg[off];
offset = (msg[off+3]<<8) + msg[off+2];
String domain = removeBlanks(new String(msg, offset, length));

length = (msg[off+9]<<8) + msg[off+8];
offset = (msg[off+11]<<8) + msg[off+10];
String user = removeBlanks(new String(msg, offset, length));

length = (msg[off+17]<<8) + msg[off+16];
offset = (msg[off+19]<<8) + msg[off+18];
String ws = removeBlanks(new String(msg, offset, length));

System.out.println("Domain: " + domain + "<br>");
System.out.println("Username: " + user + "<br>");
System.out.println("Workstation: " + ws + "<br>");

request.getSession().setAttribute("user", user);
return true;
}
else {
throw new Exception("authenticateUser:Cannot authenticate user");
}
}
catch (Throwable ex){
throw new Exception("authenticateUser:" + ex.getMessage());
}
}//aut

Sudheer
Avatar of TooKoolKris
TooKoolKris
You might have better luck with posting this into the proper programming forum.

TKK
Avatar of chicagoan
chicagoan
Flag of United States of America image
Is there a PTR record for that IP (DNS reverse lookup) or a host file entry on the client machine?
ASKER CERTIFIED SOLUTION
Avatar of DominicCronin
DominicCronin
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sudheeral
sudheeral

ASKER

Thnak you very much !!!
Avatar of _musashi_
_musashi_
One problem with this authentication solution is that the server really just trusts whatever the client is telling it. The client never proves it's identity. It is quite easy to create a client that lets the user impersonate any user on the system. This is not a secure solution, but might be good enough for your application.

More information: http://www.innovation.ch/java/ntlm.html