jcifs技术实现单点登录

jcifs技术实现单点登录

 

 

http://jcifs.samba.org/

 

 

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>

<%

    String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort();

    String remoteuser = request.getRemoteUser();

   

    String url = basePath +"/xxxSystem/welcome_desk.jsp?remoteuser="+remoteuser;  

    response.sendRedirect(url);

 %>

---------------------------------------------------------------------------------------------

 

web.xml

 

 xmlns="http://java.sun.com/xml/ns/javaee" 

 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 

 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 

 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

 

    index.jsp

 

  

   

       NtlmHttpFilter

       jcifs.http.NtlmHttpFilter

       

          jcifs.http.domainController

          10.1***

       

       

       

          jcifs.smb.lmCompatibility

          0

        

          

          jcifs.smb.client.useExtenededSecurity   

          false 

       

       

          jcifs.smb.client.soTimeout

          35000

       

   

 

   

       NtlmHttpFilter

       /*

   

 

 

---------------------------------------------------------------------------------------------

 

请先下载 jcifs-1.3.15.jar

 

須隔开project,否则会有问题。

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1。首先从http://jcifs.samba.org 这个站点下载 jcifs-1.3.2.jar包。

2。把这个包放到相应的lib文件下面。

3。对web.xml文件进行配置,添加如下内容

    

    NtlmHttpFilter

    jcifs.http.NtlmHttpFilter

   

   

        jcifs.http.domainController

        192.168.1.206

   

   

   

   

   

   

   

        jcifs.smb.client.domain

        DLHT

   

   

   

     jcifs.util.loglevel

     0

   

   

   

   

        jcifs.smb.client.username

        xxxx

   

   

        jcifs.smb.client.password

        c!23456

   

 

 

    NtlmHttpFilter

    /*

 

4。要对你的DNS服务器添加NetBIOS协议。

5。对你的IE进行设置,自动使用当前用户名和密码登录。

6。用request.getRemoteUser();来获取当前登录的用户名。

通过对上面的配置以后,你就可以用当前配置 域中的用户进行登录了。

有什么地方写的不清楚,可以共同讨论。QQ:674706446

 

login.jsp  登录页面

<%@ page contentType="text/html;charset=gbk" %>

 

<%

 //String userId = request.getParameter("userId");

 String userId = request.getRemoteUser();

 userId = userId.substring(userId.indexOf("\\") + 1);

 //passwordFlg 为单点登录标志 0为单点登录,1为正常登录

        String str = "/ClientEnter?ClientEnter=" + userId + "&passwordFlg=0";

        response.sendRedirect(str);

%>

 

 

 

 

 

 

JCIFS NTLM HTTP AuthenticationJCIFS使用NTLM HTTP认证

A common requirement of websites on corporate Intranets is NTLM HTTP authentication also sometimes referred to as Single Sign On (SSO).一个企业内联网网站上常见的需求是NTLM HTTP认证有时也被称为单点登录(SSO)。Microsoft Internet Explorer has the ability to negotiate NTLM password hashes over an HTTP session using base 64 encoded NTLMSSP messages.微软IE浏览器的能力,谈判通过HTTP使用Base 64编码NTLMSSP消息会话使用NTLM密码散列。This is a staple feature of IIS but Java application servers too can use jCIFS to authenticate MSIE clients against a domain controller.这是一个Java应用程序的IIS,但也可以使用jCIFS来验证客户端的域控制器MSIE主食服务器功能。This is a useful feature because many of the tasks surrounding user management now fall back to computer support and HR.这是一个有用的功能,因为周围的用户管理,现在回落到电脑支持和人力资源的许多任务。It is not necessary to add and remove users as they join and leave the company.这是没有必要添加和删除用户,因为他们加入和离开公司。Perhaps most important from a user's perspective; they do not need to enter a username or password if their workstation is a member of the domain.也许最重要的,从用户的角度来看,他们并不需要输入用户名和密码,如果他们的工作站是域的成员。The password hashes generated when they logged on to their workstation will be negotiated during the initial request for a session, passed through jCIFS, and validated against a PDC or BDC.时产生的密码哈希他们登录到自己的工作站将在通过jCIFS通过了会议,初步要求谈判,并针对PDCBDC验证。This also makes the users domain, username, and password available for managing session information, profiles, preferences, etc. Using the jCIFS Servlet Filter it is trivial to add NTLM HTTP authentication support to your site.这也使得用户的网域,用户名和密码管理会话的信息,特征,喜好等使用jCIFS Servlet过滤器是微不足道的HTTP验证的支持NTLM身份加入到您的网站上。It is also possible to build custom authentication modules using the NtlmSsp classes directly.它也可以创建自定义身份验证模块使用NtlmSsp类直接。This Filter scales very well primarily because sessions are multiplexed over transports.这个过滤器尺度非常好,主要是因为会话是在复用传输。But this functionality is not without caveats.但是,这个功能也不是没有警告。

Note: This functionality is a non-conformant extension to HTTP conceived entirely by Microsoft.注:此功能是一个非符合性扩展到HTTP完全由微软设想。It inappropriately uses HTTP headers and therefore may not work with all Servlet containers or may stop working with a new release of your application server.它不适当地使用HTTP标头,因此可能无法在所有servlet容器或服务器可能会停止使用您的应用程序的新版本。Also, this flavor of password encryption is not very secure so under no circumstances should it be used to authenticate clients on the Internet.同时,这个密码是加密的味道不是很安全的情况下,不应该如此它是用来验证Internet客户端上。

Note: Don't forget to restart the container after changing jCIFS init-parameters.注意:不要忘记重启参数改变后jCIFS容器初始化。JCIFS must use the container class loader and jCIFS properties are only read once when jCIFS classes are initialized. JCIFS必须使用容器类加载器和jCIFS属性是只读一次当jCIFS类被初始化。

Installation and Setup安装和设置

Put the latest jCIFS jar file in the lib/ directory of your webapp [1].最新的jCIFS罐子lib文件在/]你的webapp目录[1Because jCIFS properties are loaded once when the jCIFS classes are first accessed, it is necessary to actually stop and restart the container if any jCIFS properties have been changed.由于jCIFS属性加载一次,当jCIFS类是首次访问,是要真正停止并重新启动容器如有jCIFS属性已被更改。Below are two web.xml configurations.下面是两个web.xml中配置。Note that the jcifs.smb.client.domain and jcifs.smb.client.domainController properties are mutually exclusive.请注意jcifs.smb.client.domainjcifs.smb.client.domainController属性是互相排斥的。

Production web.xml Example生产的web.xml示例

A minimalistic web.xml file with filter and filter-mapping directives might look like the following:一个简约的映射指令web.xml文件过滤器过滤器可能类似于以下内容:

 

    NtlmHttpFilter NtlmHttpFilter 过滤器的名称>

    jcifs.http.NtlmHttpFilter jcifs.http.NtlmHttpFilter 过滤器类>

 

   

        jcifs.smb.client.domain jcifs.smb.client.domain param - name>

        NYC-USERS 纽约用户参数值>

    init - param>

   

        jcifs.netbios.wins jcifs.netbios.wins param - name>

        10.169.10.77,10.169.10.66 10.169.10.77,10.169.10.66 参数值>

    init - param>

滤镜>

 

    NtlmHttpFilter NtlmHttpFilter 过滤器的名称>

    /* / */url - pattern>

过滤器映射>

This filter section illustrates the setup for authenticating clients against the domain NYC-USERS .该过滤器部分说明了用户安装程序验证客户对域纽约市This is suitable for large numbers of concurrent users as jCIFS will cycle through domain controllers and use an alternate WINS server if necessary.这是适合用户的并发数为jCIFS大循环将通过域控制器,并使用WINS服务器候补委员必要的。

The above will authenticate users accessing all content against the domain NYC-USERS .上述将验证用户访问所有用户的内容针对域纽约市The WINS server 10.169.10.77 will be queried to resolve NYC-USERS to an IP address of a domain controller. WINS服务器10.169.10.77将被查询来解决纽约市的用户到域控制器的IP地址对。If that WINS server is not responding, 10.169.10.66 will be queried.如果该WINS服务器没有响应10.169.10.66将被质疑。

Alternate web.xml Example备用的web.xml示例

The below example filter section illistrates how to specify the IP address of the domain controller specifically using the jcifs.http.domainController property.下面的例子节滤波器illistrates如何指定jcifs.http.domainController财产IP地址的域控制器特别使用。The target machine does not need to be a real domain controller -- it could be just a workstation.目标计算机并不需要一个真正的域控制器 - 这可能只是一个工作站。Also illustrated below is the jcifs.smb.client.logonShare property.也说明了下面是jcifs.smb.client.logonShare财产。This will cause jCIFS to attempt to access the resource \\192.168.2.15\JCIFSACL when authenticating users.这将导致jCIFS试图访问资源\ \ 192.168.2.15 \ JCIFSACL当用户进行身份验证。By creating that share and changing the Access Control List only certain users or groups of users will have access to your website.通过创建,共享和更改访问控制列表只有特定的用户或用户组可以访问您的网站。

NtlmHttpFilter jcifs.http.NtlmHttpFilter jcifs.http.domainController 192.168.2.15 jcifs.smb.client.logonShare JCIFSACL NtlmHttpFilter /* NtlmHttpFilter 过滤器的名称> jcifs.http.NtlmHttpFilter 过滤器类> jcifs.http.domainController 参数,名称> 192.168.2.15 参数值> init - param> jcifs.smb.client.logonShare 参数名称> JCIFSACL 参数值> init - param> 滤镜> NtlmHttpFilter 过滤器的名称> / */url - pattern> 过滤器映射>

This filter section illustrates the setup for authenticating against a JCIFSACL share for testing or a site with a small number of concurrent users (eg 1000)该过滤器部分说明了并发用户的身份验证设置为JCIFSACL反对份额数测试或小的网站上(如1000

Either a jcifs.smb.client.domain or jcifs.smb.client.domainController property is required.要么是jcifs.smb.client.domainjcifs.smb.client.domainController属性是必需的。This will be suitable to authenticate clients that are members of the specified domain as well as other domains with which it has trusts relationships.这将是合适的身份验证的客户端指定域的成员以及其他领域与它有信任关系。

Running the NtlmHttpAuthExample.java example should be a suitable test of the Filter.运行NtlmHttpAuthExample.java例子应该是筛选合适的测试。

NTLM HTTP Authentication Example使用NTLM HTTP认证范例

NYC-USERS\MIALLEN successfully logged in纽约市的用户\ MIALLEN成功登录

Please submit some form data using POST请提交某种形式使用POST数据

窗体顶端

窗体底端

field1 = hello field1=你好

The significance of the POST test is that after negotiating NTLM HTTP Authentication once, IE will not POST any form data until it has negotiated the password hashes again.测试意义的文章中,经过协商NTLM身份验证的HTTP一次,即不会发表任何形式的数据,直到它再次谈判的密码哈希。

If the NTLM HTTP Authentication Filter is not enabled something like the following will be displayed:如果NTLM身份验证的HTTP筛选器未启用像下面这样将显示:

null successfully logged in空成功登录

Notice the user was permitted access.请注意,用户被允许访问。Unlike this example, developers might add an additional check to make sure getRemoteUser does not return null .不像这个例子中,开发人员可能会增加一个额外的检查,以确保getRemoteUser没有返回 null

Non MSIE Clients and "Basic" AuthenticationMSIE客户,并且基本身份验证

NTLM HTTP authentication is only supported by MSIE transparently.使用NTLM HTTP认证只支持MSIE透明。Mozilla 1.6 supports NTLM HTTP negotiation but it will always prompt the user for credentials by default (although the Mozilla documentation on Integrated Authentication describes how to make it transparent to the user for trusted sites). Mozilla1.6支持NTLM HTTP的谈判,但始终提示用户通过默认凭据(虽然在Mozilla的文档集成身份验证描述如何使其透明的,用户信任的网站)。For other clients it is possible to use basic authentication to pass NTLM password credentials.对于其他客户有可能通过使用基本身份验证使用NTLM密码凭据。This is strongly discouraged if SSL is not being used because it sends these credentials in plain text.这是非常气馁,如果没有使用SSL的,因为它以纯文本发送这些凭据。It would not be difficult for another user to download and install a program to "snoop" LAN traffic and obtain other user's passwords.它不会很难另一个用户下载并安装一个程序来窥探”LAN流量并获得其他用户的密码。

Regardless, this functionality has been added to the NtlmHttpFilter and NtlmServlet (for pre 2.3 servlet containers) although it is disabled by default.无论如何,这一功能已被添加到NtlmHttpFilterNtlmServlet适用于2.3 servlet容器),尽管它是默认禁用。To enable this capability set the jcifs.http.basicRealm , jcifs.http.enableBasic , and jcifs.http.insecureBasic properties described in the table below.要启用此功能设置jcifs.http.basicRealmjcifs.http.enableBasic及下表中所述的jcifs.http.insecureBasic性能。

JCIFS Properties Meaningful to NTLM HTTP Authentication JCIFS属性有意义为NTLM HTTP认证

All parameters that begin with 'jcifs.'开头的所有参数'jcifs' will be set as jCIFS properties which means that any jCIFS properties may be used as init parameters. These properties must be set before jCIFS classes are used .将被设置为jCIFS属性这意味着任何jCIFS属性可以作为初始化参数。必须设置这些属性之前jCIFS类使用For a complete list of jCIFS properties refer to the overview page of the API documentation .对于jCIFS属性的完整清单请参考API文档概述页Here is a select subset of jCIFS properties with additional notes in the context of NTLM HTTP Authentication.这里是一个jCIFSHTTP认证的NTLM方面的补充说明属性子集选择。

jcifs.smb.client.domain jcifs.smb.client.domain

The NT domain against which clients should be authenticated. NT域对哪些客户端进行身份验证。Generally it is necessary to also set the jcifs.netbios.wins parameter or a domain controller may not be found.一般来说,有必要也设置jcifs.netbios.wins参数或域控制器可能无法找到。This parameter will be ignored for NTLM HTTP authentication purposes if a jcifs.http.domainController property is specified (although they can be used together for "preauthenctication" as described in the SMB Signatures and Windows 2003 section below).这个参数将被忽略NTLM身份验证目的的HTTP如果jcifs.http.domainController属性被指定(虽然他们可以一起使用的“preauthenctication”作为描述SMB签名和Windows 2003部分)。

jcifs.http.domainController jcifs.http.domainController

The IP address of any SMB server that should be used to authenticate HTTP clients with the NtlmHttpFilter class.NtlmHttpFilterIP地址的任何SMB服务器,应使用HTTP客户端的身份验证与。If this is not specified the jcifs.smb.client.domain 0x1C NetBIOS group name will be queried.如果这不是指定的jcifs.smb.client.domain 0x1C进行NetBIOS组名称将被质疑。If these queries fail an UnknownHostException will be thrown.如果这些查询失败,将抛出一个UnknownHostExceptionIt is not necessary for this to specify a real domain controller.这是没有必要为此指定一个真正的域控制器。The IP address of a workstation will do for simple purposes.工作站的IP地址将做简单的目的。

jcifs.http.basicRelm jcifs.http.basicRelm

The realm for basic authentication.对于基本身份验证领域。This property defaults to 'jCIFS'.此属性默认为'jCIFS'

jcifs.http.enableBasic jcifs.http.enableBasic

Setting this property to true enables basic authentication over HTTPS only.设置此属性,以使真正HTTPS仅基本身份验证了。

jcifs.http.insecureBasic jcifs.http.insecureBasic

Setting this property to true enables basic authentication over plain HTTP.设置此属性,以使真正的HTTP基本验证了。This configuration passes user credentials in plain text over the network.这种配置在网络中传递明文用户凭据。It should not be used in environment where security is required.它不应该被用在环境中的安全是必需的。

jcifs.http.loadBalance jcifs.http.loadBalance

If a jcifs.smb.client.domain property is specified (and domainController is not specified) the NtlmHttpFilter will query for domain controllers by name.如果jcifs.smb.client.domain属性被指定(及加入DomainController指定NtlmHttpFilter将名称查询由域控制器。If this property is true the Filter will rotate through the list of domain controllers when authenticating users.如果此属性 true过滤器将通过旋转控制器列表用户进行身份验证时的域。The default value is true .默认值 trueThe jcifs.netbios.lookupRespLimit property can also be used to limit the number of domain controllers used.jcifs.netbios.lookupRespLimit属性也可用于限制使用的数字控制器的域。

jcifs.netbios.lookupRespLimit jcifs.netbios.lookupRespLimit

The 0x1C NetBIOS name query returns a list of domain controllers.0x1C进行NetBIOS名称查询返回的域控制器列表。It is believed that the servers at the top of this list should be favored.据信,在此列表的顶部的服务器应该受到青睐。This property limits the range of servers returned by name queries.此属性限制按名称查询返回的服务器范围。The default value is 5 meaning the top 5 domain controllers will be used.默认值是5的意思前5个域控制器将被使用。

jcifs.netbios.wins jcifs.netbios.wins

The IP address of the WINS server.WINS服务器的IP地址。This is required when accessing hosts on different subnets (like a domain controller by name) and it is highly recommended if a wins server is available.这是访问时需要在不同子网上的主机(如按名称域控制器),这是强烈建议如果WINS服务器可用。

jcifs.smb.client.laddr jcifs.smb.client.laddr

The ip address of the local interface the client should bind to if it is different from the default.本地接口的IP地址绑定到客户端应该如果它不同于默认。For example if jCIFS is used to authenticate clients on one interface and the domain controller for those clients is accessible only on another interface of a webserver with two NICs it may be necessary to specify which interface jCIFS should use.例如,如果jCIFS用于验证在一个接口以及这些客户的客户是唯一的域控制器的另一个Web服务器有两个网卡接口访问它可能需要指定应该使用哪个接口jCIFS

jcifs.netbios.laddr jcifs.netbios.laddr

The ip address of the local interface the client should bind to for name queries if it is different from the default.本地接口的IP地址的客户端应为名称查询绑定到如果它不同于默认。Likely set to the same as the above property.可能设置为与上述性质相同。

jcifs.smb.client.attrExpirationPeriod jcifs.smb.client.attrExpirationPeriod

Attributes of a file are cached for attrExpirationPeriod milliseconds.文件属性的是缓存attrExpirationPeriod毫秒。The default is 5000 but the NetworkExplorer servlet will attempt to set this property to 120000.默认是5000,但NetworkExplorer servlet将尝试将此属性设置为120000Otherwise, when listing large directories, the attributes of SmbFiles may expire within the default period resulting in a large number of additional network messages and severe performance degradation.否则,当上市的大型目录,属性的SmbFiles内到期的可降解性能的默认和严重的时期产生了大量额外的网络信息。

jcifs.smb.client.soTimeout jcifs.smb.client.soTimeout

To prevent the client from holding server resources unnecessarily, sockets are closed after this time period if there is no activity.为了防止不必要的客户端服务器资源控股,插座被关闭后,这段时间内如果没有任何活动。This time is specified in milliseconds.这一次,被指定以毫秒为单位。The default is 15000 however when NTLM HTTP Authentication is used, the NtlmHttpFilter will attempt to set this value to 5 minutes so that frequent calls to SmbSession.logon() do not provoke redundant messages being submitted to the domain controller.但是默认是15000NTLM HTTP认证使用NtlmHttpFilter将尝试将此值设置为5分钟,使()经常呼吁SmbSession.logon不要惹冗余消息被提交到域控制器。If it is not desirable to cache password hashes set this value back to 15000.如果它是不可取的密码哈希缓存设置此值回15000

jcifs.netbios.cachePolicy jcifs.netbios.cachePolicy

When a NetBIOS name is resolved with the NbtAddress class it is cached to reduce redundant name queries.当一个NetBIOS名称与NbtAddress类是解决缓存以减少重复名称查询。This property controls how long, in seconds, these names are cached.此属性控制多久,在几秒钟内,这些名称缓存。The default is 30 seconds, 0 is no caching, and -1 is forever.默认为30秒,0是没有缓存,-1是永恒的。When NTLM HTTP Authentication is used, NtlmHttpFilter will attempt to set this value to 20 minutes so that frequent queries for a domain controller will be cached.NTLM HTTP认证使用NtlmHttpFilter将尝试将此值设置为20分钟,使该域控制器为频繁的查询将被缓存。

Must Restart The Container必须重新启动集装箱

If you change any jcifs properties or replace an existing jcifs jar file with a different one, the container must be restarted.如果您更改任何jcifs属性或更换一个不同的现有jcifs jar文件,容器必须重新启动。This is because most jcifs properties are retrieved only once when classes are first loaded.这是因为大多数jcifs属性检索类只有一次,当第一次加载。

Tomcat Tomcat

Tomcat requires that all filter directives be adjacent to one another, all filter-mapping directives appear adjacent to one another, all servlet directives ... Tomcat的过滤指令要求所有彼此相邻,所有过滤器映射指令出现彼此相邻,所有servlet指令... and so on.等等。This is because Tomcat validates the web.xml against the deployment descriptor DTD.这是因为Tomcat对验证的DTDweb.xml部署描述符。

MalformedURLException: unknown protocol: smb MalformedURLException:未知协议:中小企业

If you get the following exception try upgrading to jcifs-0.7.0b12 or later.如果你得到下面的异常尝试升级到jcifs - 0.7.0b12或更高版本。Also read the FAQ .另请阅读常见问题

 Exception MalformedURLException: unknown protocol: smb例外MalformedURLException:未知协议:中小企业

      at java.net.URL.(URL.java:480)在中java.net.URLURL.java480)。

      at java.net.URL.(URL.java:376)在中java.net.URLURL.java376)。

      at java.net.URL.(URL.java:330)在中java.net.URLURL.java330)。

      at jcifs.smb.SmbFile.(SmbFile.java:355)jcifs.smb.SmbFileSmbFile.java355)。

      ... ...

Transparent Authentication and the Network Password Dialog透明的认证和网络密码对话框

If the Filter is working properly the Network Password Dialog should never appear.如果过滤器正常工作的网络密码对话框应该永远不会出现。However there are several requirements that must be met for a web browser to transparently negotiate credentials using NTLM HTTP authenication.但是,必须有一个Web浏览器开会商讨透明使用NTLM认证的HTTP authenication几个要求。If any of these requirements are not met, the default behavior is to present the user with the Network Password dialog.如果任何这些要求得不到满足,默认的行为是目前与用户的网络密码对话框。The requirements are:的要求是:

1.        The client must be logged into the Windows NT domain identified by the jcifs.smb.client.domain parameter (or the domain of the host identified by the jcifs.smb.client.domainController parameter if it is used instead).客户端必须登录到Windows NTjcifs.smb.client.domain参数(或参数标识的jcifs.smb.client.domainController如果用它代替主域)确定域。The client may also be logged into a domain that has a trust relationship with the target domain.客户端可以被记录到域具有与目标域的信任关系。Indeed it is not uncommon to configure workstations to join a different domain from those of users.事实上,这并非罕见配置工作站加入一个从用户的不同领域。Note that Windows 95/98/ME systems cannot really join a domain but can be configured to do so enough to participate in transparent NTLM HTTP authentication.请注意,Windows 95/98/ME系统不能真正加入域,但可以这样做配置足够透明的NTLM身份参加HTTP认证。

2.       Only Internet Explorer will negotiate NTLM HTTP authentication transparently.只有Internet Explorer将使用NTLM HTTP认证透明的谈判。Mozilla will always prompt the user for credentials (someone please notify us when/if this is not true anymore). Mozilla将总是提示用户输入凭据(某人请通知我们,当/如果这是不是真的了)。At the time this FAQ was written it was not known which other browsers, if any, can negotiate NTLM HTTP authenication transparently.当时写这本FAQ不知道还有哪些浏览器,如果有的话,可以协商NTLM身份的HTTP authenication透明。

3.       Either the target URL must contain a server in the local domain (eg ws1.mycompany.com) or the client's security settings must be changed (eg Tools > Internet Options > Security > Local Intranet > Sites > Advanced > add your site).无论是目标URL必须包含本地域中(例如ws1.mycompany.com)或客户端的安全设置的服务器必须被改变(如工具>“Internet选项”>安全本地Intranet>网站>”高级>“添加您的网站)。If the URL does not contain a URL in the defined IntrAnet zone (eg not an IP address), Internet Explorer will assume that the server is in the IntErnet zone and present the user with the Network Password dialog.如果URL中不包含在定义的Intranet区域(如不是一个IP地址)的网址,IE浏览器将假定服务器在Internet区域和目前与用户的网络密码对话框。It would be very bad if a server on the Internet could convince IE to send it your NTLM password hashes.这将是一个非常不好,如果互联网上的服务器能够说服IE浏览器发送给您的使用NTLM密码散列。These hashes are easily cracked with brute force dictionary attacks.这些都是很容易与蛮力破解哈希字典攻击。To prevent this scenario, IE tries to distinguish between Intranet sites and Internet sites.为了防止这种情况下,IE浏览器试图区分内部网站和互联网网站。Here are some important notes to consider when deploying a site with NTLM HTTP Authentication regardless of whether or not jCIFS is used to do it.下面是一些重要事项时需要考虑部署一个使用NTLM HTTP认证的网站,无论是否jCIFS是用来做它。

o    Internet Explorer May Prompt You for a Password Internet Explorer可能会提示您输入密码
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q258063http://support.microsoft.com/default.aspx?scid=kb;恩美; Q258063

o    How to Use Security Zones in Internet Explorer如何使用Internet Explorer安全区域
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q174360http://support.microsoft.com/default.aspx?scid=kb;恩美; Q174360

o    An Intranet Site Is Identified as an Internet Site When You Use an FQDN or IP Address Intranet网站被标识为一个互联网网站时,你使用FQDNIP地址
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303650http://support.microsoft.com/default.aspx?scid=kb;恩美; Q303650

4.       The user's credentials must be valid.用户的凭据必须是有效的。For example if the account has expired, been disabled or is locked out the Network Password dialog will appear.例如,如果该帐户已过期,被禁用或锁定网络密码对话框将会出现。To determine which error was at fault it will be necessary to modify the NtlmHttpFilter to inspect the SmbAuthException in doFilter.要确定哪些错误有过错,有必要修改NtlmHttpFilter检查中的doFilter SmbAuthException

5.        The jCIFS client must support the lmCompatibility level necessary for communication with the domain controller.jCIFS客户端必须支持lm​​Compatibility水平与域控制器的通信需要。If the server does not permit NTLMv1 try to set jcifs.smb.lmCompatibility = 3.如果服务器不允许NTLMv1尝试设置jcifs.smb.lmCompatibility = 3

Personal Workstation AD Security Policy个人工作站AD安全政策

If your Active Directory security policy requires that users only log into the domain from their personal workstations JCIFS will fail to authenticate and the server security log will have entries like "\\JCIFS10_40_4A cannot be authorized".如果您的Active Directory安全政策要求用户只能从他们的JCIFS到个人工作站将无法登录到域验证和服务器的安全日志将有类似“\ \ JCIFS10_40_4A无法授权的条目。This occurs because the domain controller is failing to resolve the dynamically generated "calling name" submitted by the client during protocol negotiation.这是因为域控制器是未能有效解决动态生成的来电姓名,由客户端提交的协议协商过程中。To get around this it is necessary to set the jcifs.netbios.hostname property to a valid NetBIOS name that can be resolved by the NetBIOS name service (eg WINS) and add that name to the AD security policy as a permitted client.为了解决这个问题,有必要设置jcifs.netbios.hostname属性为有效的NetBIOS名称都可以)解决NetBIOS名称服务(如WINS和补充,更名为许可客户端AD安全政策。

For example, you can set this property using an init-paremeter in the web.xml file for the NTLM HTTP filter as follows:例如,您可以使用此属性设置为HTTPweb.xml文件的NTLM一个INIT - paremeter过滤器如下:

 

    jcifs.netbios.hostname jcifs.netbios.hostname 参数名>

    MYHOSTNAME MYHOSTNAME 参数值>

的参数>

HTTP POST and Protecting Sub-Content HTTP POST和保护小组内容

Once IE has negotiated NTLM HTTP authentication it will proactively renegotiate NTLM for POST requests for all content associated with the server (based on IP?).一旦谈判NTLM身份IEHTTP验证它会主动重新谈判与服务器相关的所有内容POST请求的NTLM(基于IP的?)。Therefore when using HTTP POST requests it is not possible to restrict access to some content on the server as IE will attempt and fail to negotiate NTLM (standard IE error page?).因此,当使用HTTP POST请求是不可能限制访问服务器上的一些内容,IE浏览器将尝试,不谈判的NTLM(标准的IE错误页?)。This is a protocol limitation and there does not appear to be a way to convince IE to stop proactively negotiating for POST requests once it has been determined that the server is capable of negotiating NTLM authentication.这是协议限制,似乎没有被说服IE浏览器的方式主动停止POST请求一旦谈判已确定该服务器是NTLM身份验证的谈判能力。

SMB Signatures and Windows 2003中小企业签名和Windows 2003

If the domain controller against which you are authenticating clients requires SMB signatures (Windows 2003 does by default), it is recommended that you provide init-parameters for the jcifs.smb.client.{domain,username,password} to perform "preauthentication" for each transport to a domain contoller so that a proper SMB signing key will be generated.如果域控制器,你对客户的需要进行身份验证的SMB签名(Windows 2003中默认是通过),建议您提供的init - jcifs.smb.client参数的{域,用户名,密码}执行预身份验证每到一个域位指示运输,使正确的SMB签名的密钥将被生成。In fact, this may be necessary for proper operation; it has been observed that NT 4.0 does not check the signatures of authentication requests but the behavior has not been confirmed in all environments.事实上,这可能是正确的操作必需,它已被观察到的NT 4.0不检查认证的要求,但该行为并未在所有环境中证实了签名。If the Filter works for the first authentication but fails with a second user shortly thereafter this would suggest that signing was established but subsequent authentications are failing due to the lack of a good signing key.如果过滤工程,第一个身份验证失败,但第二个用户此后不久,这将表明,签约成立认证失败了,但随后由于缺乏关键的一个好签。Additionally, without a proper signing key certain requests ( SMB_COM_TREE_DISCONNECT and SMB_COM_LOGOFF_ANDX ) will cause signature verification failures (although they are harmless to the client).另外,没有适当的签名密钥SMB_COM_LOGOFF_ANDX若干请求SMB_COM_TREE_DISCONNECT将导致签名验证失败(尽管它们是无害的客户端)。

A third solution for signature issues is to change the jcifs.smb.client.ssnLimit to 1.一个签字问题解决方案,第三是改变jcifs.smb.client.ssnLimit1This will require that every authentication uses a separate transport.这就要求每一个身份验证使用一种单独的传输。Because the MAC signing key is only used on SMB communication occuring after the initial authentication, signing will be effectively ignored.因为Mac签名密钥仅在SMB通信中使用后发生的初始​​身份验证,签署将有效地忽略。However, this solution will significantly reduce scalability as each authentication will open it's own transport.然而,这个解决方案将大大减少,因为每个验证可扩展性,开放它自己的交通工具。For this reason the second solution of using a "workstation account" to preauthenticate transports is considered the superior method and should be used by default for servers that requires signatures.对于这是否使用工作站的帐户preauthenticate运输第二个解决方案被认为是优越的方法,并应在默认情况下用于服务器,需要签名的原因。

NTLM HTTP Authentication Protocol Details使用NTLM HTTP认证协议详细

The NTLM HTTP Authentication process is described well in these documents:NTLM HTTP认证过程很好地描述这些文件:

http://davenport.sourceforge.net/ntlm.htmlhttp://davenport.sourceforge.net/ntlm.html
http://www.innovation.ch/java/ntlm.htmlhttp://www.innovation.ch/java/ntlm.html

The process can be summarized as a 3 request/response "handshake".这一过程可以概括为三请求/响应握手So doGet() will be called three times.所以doGet()会被调用三次。The first is the initial request.第一个是最初的请求。A 401 Unauthorized is sent back to which IE submits a special message encoded in a header.401未经授权被送回被IE提交一个特殊的信息编码在一个头。Another 401 Unauthorized is sent back after which IE submits the password hashes.401未经授权被送回后IE浏览器提交的密码哈希。This is where jCIFS comes in. The password hashes alone are useless.这是jCIFS用武之地的密码哈希仅是无用的。You must check their authenticity against the password database on a server somewhere (actually you can specify the IP of a plain workstation or any other SMB server).你必须检查自己的服务器上对密码数据库的真实性地方(其实你可以指定一个普通的工作站或任何其他SMB服务器的IP)。Otherwise a user who's workstation is not a member of the domain will get a password dialog into which they could put anything and it would let them in. This is what pretty much all the examples seen in various forums do.否则用户谁的工作站不是域将得到一个密码对话框成员到他们可以把任何东西,这将让他们进来,这就是几乎所有的例子,在各种论坛上看到做。Don't be fooled.不要被愚弄。

 

[1] Due to restrictions in how protocol handlers are loaded, if the SMB URL protocol handler is to be used (meaning you want to access SMB resources with smb:// URLs) within your application it is necessary for the jCIFS jar to be loaded by the System class loader.[1]由于被加载到协议的限制,如何处理,如果SMB URL协议处理程序是使用(意思是你要访问资源与SMB中小企业:/ /网址)在您的应用程序是必要的罐子被jCIFS加载系统类加载器。This can usually be achived by placing it in the container lib/ directory.这通常可以达到目录中放置在容器中/However, for containers that load servlet classes in a child classloaders (Tomcat) this too will cause problems as jCIFS will not be able to load javax.servlet.* classes.然而,对于容器(Tomcat)的servlet类加载在子类加载器这也将可能会带来问题jCIFS将无法加载javax.servlet.*类。To get the filter and the URL protocol handler to operate together requires some experimentation and depends on the container being used.为了得到过滤和URL协议处理程序同时运行,需要一些试验和使用取决于容器的福利。

你可能感兴趣的:(Java,EE)