A common requirement of websites on corporate Intranetsis NTLM HTTP authentication also sometimes referred to as Single Sign On (SSO).一个企业内联网网站上常见的需求是NTLM HTTP认证有时也被称为单点登录(SSO)。Microsoft Internet Explorer hasthe ability to negotiate NTLM password hashes over an HTTP session using base64 encoded NTLMSSP messages.微软IE浏览器的能力,谈判通过HTTP使用Base 64编码NTLMSSP消息会话使用NTLM密码散列。This is a staple feature of IISbut Java application servers too can use jCIFS to authenticate MSIE clientsagainst a domain controller.这是一个Java应用程序的IIS,但也可以使用jCIFS来验证客户端的域控制器MSIE主食服务器功能。This is a useful feature because many of the taskssurrounding user management now fall back to computer support and HR.这是一个有用的功能,因为周围的用户管理,现在回落到电脑支持和人力资源的许多任务。It is not necessary to add and remove users as they joinand leave the company.这是没有必要添加和删除用户,因为他们加入和离开公司。Perhaps most important from a user's perspective; they donot need to enter a username or password if their workstation is a member ofthe domain.也许最重要的,从用户的角度来看,他们并不需要输入用户名和密码,如果他们的工作站是域的成员。The password hashes generated when they logged on totheir workstation will be negotiated during the initial request for a session,passed through jCIFS, and validated against a PDC or BDC.时产生的密码哈希他们登录到自己的工作站将在通过jCIFS通过了会议,初步要求谈判,并针对PDC或BDC验证。This also makes the users domain, username, and passwordavailable for managing session information, profiles, preferences, etc. Usingthe jCIFS Servlet Filter it is trivial to add NTLM HTTP authentication supportto your site.这也使得用户的网域,用户名和密码管理会话的信息,特征,喜好等使用jCIFS Servlet过滤器是微不足道的HTTP验证的支持NTLM身份加入到您的网站上。It is alsopossible to build custom authentication modules using the NtlmSsp classesdirectly.它也可以创建自定义身份验证模块使用NtlmSsp类直接。This Filter scales very wellprimarily because sessions are multiplexed over transports.这个过滤器尺度非常好,主要是因为会话是在复用传输。But thisfunctionality is not without caveats.但是,这个功能也不是没有警告。
Note: This functionality is a non-conformant extension to HTTP conceivedentirely by Microsoft.注:此功能是一个非符合性扩展到HTTP完全由微软设想。Itinappropriately uses HTTP headers and therefore may not work with all Servletcontainers or may stop working with a new release of your application server.它不适当地使用HTTP标头,因此可能无法在所有servlet容器或服务器可能会停止使用您的应用程序的新版本。Also, this flavor of password encryption is not verysecure so under no circumstances should it be used to authenticate clients onthe Internet.同时,这个密码是加密的味道不是很安全的情况下,不应该如此它是用来验证Internet客户端上。
Note: Don't forget to restart the container after changing jCIFSinit-parameters.注意:不要忘记重启参数改变后jCIFS容器初始化。JCIFS must use the containerclass loader and jCIFS properties are only read once when jCIFS classes areinitialized. JCIFS必须使用容器类加载器和jCIFS属性是只读一次当jCIFS类被初始化。
Installation and Setup安装和设置
Put the latest jCIFSjar file in the lib/ directory ofyour webapp [1].把最新的jCIFS罐子lib文件在/]你的webapp目录[1。Because jCIFS properties are loaded once when the jCIFSclasses are first accessed, it is necessary to actually stop and restart thecontainer if any jCIFS properties have been changed.由于jCIFS属性加载一次,当jCIFS类是首次访问,是要真正停止并重新启动容器如有jCIFS属性已被更改。Below are two web.xml configurations.下面是两个web.xml中配置。Note that the jcifs.smb.client.domain and jcifs.smb.client.domainController properties are mutually exclusive.请注意,jcifs.smb.client.domain和jcifs.smb.client.domainController属性是互相排斥的。
Production web.xml Example生产的web.xml示例
A minimalistic web.xml file with filter and filter-mapping directives might look like thefollowing:一个简约的映射指令web.xml文件过滤器和过滤器可能类似于以下内容:
<filter><filter>
<filter-name>NtlmHttpFilter</filter-name><filter-name> NtlmHttpFilter </过滤器的名称>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class><filter-class> jcifs.http.NtlmHttpFilter </过滤器类>
<init-param><init-param>
<param-name>jcifs.smb.client.domain</param-name><param-name> jcifs.smb.client.domain </的param - name>
<param-value>NYC-USERS</param-value><param-value>纽约用户</参数值>
</init-param></的init- param>
<init-param><init-param>
<param-name>jcifs.netbios.wins</param-name><param-name> jcifs.netbios.wins </的param - name>
<param-value>10.169.10.77,10.169.10.66</param-value><param-value> 10.169.10.77,10.169.10.66 </参数值>
</init-param></的init- param>
</filter> </滤镜“>
<filter-mapping> <filter-mapping>
<filter-name>NtlmHttpFilter</filter-name><filter-name> NtlmHttpFilter </过滤器的名称>
<url-pattern>/*</url-pattern>的<url-pattern> /*“/的url - pattern>
</filter-mapping> </过滤器映射>
This filter section illustrates the setup forauthenticating clients against the domain NYC-USERS .该过滤器部分说明了在用户安装程序,验证客户对域纽约市。This is suitable for large numbers of concurrent users asjCIFS will cycle through domain controllers and use an alternate WINS server ifnecessary.这是适合用户的并发数为jCIFS大循环将通过域控制器,并使用WINS服务器候补委员必要的。
The above will authenticate users accessing all contentagainst the domain NYC-USERS .上述将验证用户访问所有用户的内容针对域纽约市。The WINSserver 10.169.10.77 will be queried to resolve NYC-USERS to an IP address of a domain controller. WINS服务器10.169.10.77将被查询来解决纽约市的用户到域控制器的IP地址对。If that WINS server is notresponding, 10.169.10.66 will be queried.如果该WINS服务器没有响应,10.169.10.66将被质疑。
Alternate web.xml Example备用的web.xml示例
The below example filter section illistrates how tospecify the IP address of the domain controller specifically using the jcifs.http.domainController property.下面的例子节滤波器illistrates如何指定jcifs.http.domainController财产IP地址的域控制器特别使用。The target machine does not need to be a real domaincontroller -- it could be just a workstation.目标计算机并不需要一个真正的域控制器 - 这可能只是一个工作站。Alsoillustrated below is the jcifs.smb.client.logonShare property.也说明了下面是jcifs.smb.client.logonShare财产。This will cause jCIFS toattempt to access the resource \\192.168.2.15\JCIFSACL when authenticating users.这将导致jCIFS试图访问资源\ \ 192.168.2.15 \ JCIFSACL当用户进行身份验证。By creating that share andchanging the Access Control List only certain users or groups of users will haveaccess to your website.通过创建,共享和更改访问控制列表只有特定的用户或用户组可以访问您的网站。
<filter><filter-name>NtlmHttpFilter</filter-name><filter-class>jcifs.http.NtlmHttpFilter</filter-class><init-param><param-name>jcifs.http.domainController</param-name><param-value>192.168.2.15</param-value> </init-param><init-param><param-name>jcifs.smb.client.logonShare</param-name><param-value>JCIFSACL</param-value> </init-param></filter> <filter-mapping> <filter-name>NtlmHttpFilter</filter-name><url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>NtlmHttpFilter </过滤器的名称> <filter-class> jcifs.http.NtlmHttpFilter </过滤器类> <init-param> <param-name>jcifs.http.domainController </参数,名称><param-value> 192.168.2.15 </参数值> </的init - param> <init-param> <param-name> jcifs.smb.client.logonShare</参数名称> <param-value> JCIFSACL </参数值> </的init - param> </滤镜“> <filter-mapping><filter-name> NtlmHttpFilter </过滤器的名称>的<url-pattern>/ *”/的url - pattern> </过滤器映射>
This filter section illustrates the setup forauthenticating against a JCIFSACL share for testing or a site with a smallnumber of concurrent users (eg 1000)该过滤器部分说明了并发用户的身份验证设置为JCIFSACL反对份额数测试或小的网站上(如1000)
Either a jcifs.smb.client.domain or jcifs.smb.client.domainController property is required.要么是jcifs.smb.client.domain或jcifs.smb.client.domainController属性是必需的。This will be suitable toauthenticate clients that are members of the specified domain as well as otherdomains with which it has trusts relationships.这将是合适的身份验证的客户端指定域的成员以及其他领域与它有信任关系。
Running the NtlmHttpAuthExample.java example should be a suitable test of theFilter.运行NtlmHttpAuthExample.java例子应该是筛选合适的测试。
NTLM HTTP Authentication Example使用NTLM HTTP认证范例
NYC-USERS\MIALLEN successfully logged in纽约市的用户\ MIALLEN成功登录
Please submit some form data using POST请提交某种形式使用POST数据
窗体顶端
窗体底端
field1 = hello field1的=你好
The significance of the POST test is that afternegotiating NTLM HTTP Authentication once, IE will not POST any form data untilit has negotiated the password hashes again.测试意义的文章中,经过协商NTLM身份验证的HTTP一次,即不会发表任何形式的数据,直到它再次谈判的密码哈希。
If the NTLM HTTP Authentication Filter is not enabledsomething like the following will be displayed:如果NTLM身份验证的HTTP筛选器未启用像下面这样将显示:
null successfully logged in空成功登录
Notice the user was permitted access.请注意,用户被允许访问。Unlike thisexample, developers might add an additional check to make sure getRemoteUser does not return null .不像这个例子中,开发人员可能会增加一个额外的检查,以确保getRemoteUser没有返回 null。
Non MSIE Clients and "Basic"Authentication非MSIE客户,并且“基本”身份验证
NTLM HTTP authentication is only supported by MSIEtransparently.使用NTLM HTTP认证只支持MSIE透明。Mozilla 1.6 supports NTLM HTTPnegotiation but it will always prompt the user for credentials by default(although the Mozilla documentation on Integrated Authentication describes how to make it transparent to theuser for trusted sites). Mozilla的1.6支持NTLM HTTP的谈判,但始终提示用户通过默认凭据(虽然在Mozilla的文档集成身份验证描述如何使其透明的,用户信任的网站)。For otherclients it is possible to use basic authentication to pass NTLM passwordcredentials.对于其他客户有可能通过使用基本身份验证使用NTLM密码凭据。This is strongly discouraged ifSSL is not being used because it sends these credentials in plain text.这是非常气馁,如果没有使用SSL的,因为它以纯文本发送这些凭据。It would not be difficult for another user to downloadand install a program to "snoop" LAN traffic and obtain other user'spasswords.它不会很难另一个用户下载并安装一个程序来“窥探”LAN流量并获得其他用户的密码。
Regardless, this functionality has been added to the NtlmHttpFilter and NtlmServlet (for pre 2.3 servlet containers) althoughit is disabled by default.无论如何,这一功能已被添加到NtlmHttpFilter和NtlmServlet(适用于2.3 servlet容器),尽管它是默认禁用。To enable this capability set the jcifs.http.basicRealm , jcifs.http.enableBasic , and jcifs.http.insecureBasic propertiesdescribed in the table below.要启用此功能设置jcifs.http.basicRealm,jcifs.http.enableBasic,及下表中所述的jcifs.http.insecureBasic性能。
JCIFS Properties Meaningful to NTLM HTTPAuthentication JCIFS属性有意义为NTLM HTTP认证
All parameters that begin with 'jcifs.'开头的所有参数'jcifs。' will be set as jCIFS properties which meansthat any jCIFS properties may be used as init parameters. These propertiesmust be set before jCIFS classes are used .将被设置为jCIFS属性这意味着任何jCIFS属性可以作为初始化参数。必须设置这些属性之前jCIFS类使用。For a completelist of jCIFS properties refer to the overview page of the API documentation .对于jCIFS属性的完整清单请参考API文档概述页。Here is a select subset ofjCIFS properties with additional notes in the context of NTLM HTTPAuthentication.这里是一个jCIFS与HTTP认证的NTLM方面的补充说明属性子集选择。
jcifs.smb.client.domain jcifs.smb.client.domain |
The NT domain against which clients should be authenticated. NT域对哪些客户端进行身份验证。 Generally it is necessary to also set the jcifs.netbios.wins parameter or a domain controller may not be found.一般来说,有必要也设置jcifs.netbios.wins参数或域控制器可能无法找到。 This parameter will be ignored for NTLM HTTP authentication purposes if a jcifs.http.domainController property is specified (although they can be used together for "preauthenctication" as described in the SMB Signatures and Windows 2003 section below).这个参数将被忽略NTLM身份验证目的的HTTP如果jcifs.http.domainController属性被指定(虽然他们可以一起使用的“preauthenctication”作为描述的SMB签名和Windows 2003部分)。 |
jcifs.http.domainController jcifs.http.domainController |
The IP address of any SMB server that should be used to authenticate HTTP clients with the NtlmHttpFilter class.该NtlmHttpFilter类IP地址的任何SMB服务器,应使用HTTP客户端的身份验证与。 If this is not specified the jcifs.smb.client.domain 0x1C NetBIOS group name will be queried.如果这不是指定的jcifs.smb.client.domain 0x1C进行NetBIOS组名称将被质疑。 If these queries fail an UnknownHostException will be thrown.如果这些查询失败,将抛出一个UnknownHostException。 It is not necessary for this to specify a real domain controller.这是没有必要为此指定一个真正的域控制器。 The IP address of a workstation will do for simple purposes.工作站的IP地址将做简单的目的。 |
jcifs.http.basicRelm jcifs.http.basicRelm |
The realm for basic authentication.对于基本身份验证领域。 This property defaults to 'jCIFS'.此属性默认为'jCIFS'。 |
jcifs.http.enableBasic jcifs.http.enableBasic |
Setting this property to true enables basic authentication over HTTPS only.设置此属性,以使真正的HTTPS仅基本身份验证了。 |
jcifs.http.insecureBasic jcifs.http.insecureBasic |
Setting this property to true enables basic authentication over plain HTTP.设置此属性,以使真正的纯HTTP基本验证了。 This configuration passes user credentials in plain text over the network.这种配置在网络中传递明文用户凭据。 It should not be used in environment where security is required.它不应该被用在环境中的安全是必需的。 |
jcifs.http.loadBalance jcifs.http.loadBalance |
If a jcifs.smb.client.domain property is specified (and domainController is not specified) the NtlmHttpFilter will query for domain controllers by name.如果jcifs.smb.client.domain属性被指定(及加入DomainController 不指定)NtlmHttpFilter将名称查询由域控制器。 If this property is true the Filter will rotate through the list of domain controllers when authenticating users.如果此属性为 true过滤器将通过旋转控制器列表用户进行身份验证时的域。 The default value is true .默认值是 true。 The jcifs.netbios.lookupRespLimit property can also be used to limit the number of domain controllers used.该jcifs.netbios.lookupRespLimit属性也可用于限制使用的数字控制器的域。 |
jcifs.netbios.lookupRespLimit jcifs.netbios.lookupRespLimit |
The 0x1C NetBIOS name query returns a list of domain controllers.该0x1C进行NetBIOS名称查询返回的域控制器列表。 It is believed that the servers at the top of this list should be favored.据信,在此列表的顶部的服务器应该受到青睐。 This property limits the range of servers returned by name queries.此属性限制按名称查询返回的服务器范围。 The default value is 5 meaning the top 5 domain controllers will be used.默认值是5的意思前5个域控制器将被使用。 |
jcifs.netbios.wins jcifs.netbios.wins |
The IP address of the WINS server.的WINS服务器的IP地址。 This is required when accessing hosts on different subnets (like a domain controller by name) and it is highly recommended if a wins server is available.这是访问时需要在不同子网上的主机(如按名称域控制器),这是强烈建议如果WINS服务器可用。 |
jcifs.smb.client.laddr jcifs.smb.client.laddr |
The ip address of the local interface the client should bind to if it is different from the default.本地接口的IP地址绑定到客户端应该如果它不同于默认。 For example if jCIFS is used to authenticate clients on one interface and the domain controller for those clients is accessible only on another interface of a webserver with two NICs it may be necessary to specify which interface jCIFS should use.例如,如果jCIFS用于验证在一个接口以及这些客户的客户是唯一的域控制器的另一个Web服务器有两个网卡接口访问它可能需要指定应该使用哪个接口jCIFS。 |
jcifs.netbios.laddr jcifs.netbios.laddr |
The ip address of the local interface the client should bind to for name queries if it is different from the default.本地接口的IP地址的客户端应为名称查询绑定到如果它不同于默认。 Likely set to the same as the above property.可能设置为与上述性质相同。 |
jcifs.smb.client.attrExpirationPeriod jcifs.smb.client.attrExpirationPeriod |
Attributes of a file are cached for attrExpirationPeriod milliseconds.文件属性的是缓存attrExpirationPeriod毫秒。 The default is 5000 but the NetworkExplorer servlet will attempt to set this property to 120000.默认是5000,但NetworkExplorer servlet将尝试将此属性设置为120000。 Otherwise, when listing large directories, the attributes of SmbFiles may expire within the default period resulting in a large number of additional network messages and severe performance degradation.否则,当上市的大型目录,属性的SmbFiles内到期的可降解性能的默认和严重的时期产生了大量额外的网络信息。 |
jcifs.smb.client.soTimeout jcifs.smb.client.soTimeout |
To prevent the client from holding server resources unnecessarily, sockets are closed after this time period if there is no activity.为了防止不必要的客户端服务器资源控股,插座被关闭后,这段时间内如果没有任何活动。 This time is specified in milliseconds.这一次,被指定以毫秒为单位。 The default is 15000 however when NTLM HTTP Authentication is used, the NtlmHttpFilter will attempt to set this value to 5 minutes so that frequent calls to SmbSession.logon() do not provoke redundant messages being submitted to the domain controller.但是默认是15000当NTLM HTTP认证使用,NtlmHttpFilter将尝试将此值设置为5分钟,使()经常呼吁SmbSession.logon不要惹冗余消息被提交到域控制器。 If it is not desirable to cache password hashes set this value back to 15000.如果它是不可取的密码哈希缓存设置此值回15000。 |
jcifs.netbios.cachePolicy jcifs.netbios.cachePolicy |
When a NetBIOS name is resolved with the NbtAddress class it is cached to reduce redundant name queries.当一个NetBIOS名称与NbtAddress类是解决缓存以减少重复名称查询。 This property controls how long, in seconds, these names are cached.此属性控制多久,在几秒钟内,这些名称缓存。 The default is 30 seconds, 0 is no caching, and -1 is forever.默认为30秒,0是没有缓存,-1是永恒的。 When NTLM HTTP Authentication is used, NtlmHttpFilter will attempt to set this value to 20 minutes so that frequent queries for a domain controller will be cached.当NTLM HTTP认证使用,NtlmHttpFilter将尝试将此值设置为20分钟,使该域控制器为频繁的查询将被缓存。 |
Must Restart The Container必须重新启动集装箱
If you change any jcifs properties or replace an existingjcifs jar file with a different one, the container must be restarted.如果您更改任何jcifs属性或更换一个不同的现有jcifs jar文件,容器必须重新启动。This isbecause most jcifs properties are retrieved only once when classes are firstloaded.这是因为大多数jcifs属性检索类只有一次,当第一次加载。
Tomcat Tomcat的
Tomcat requires that all filter directives be adjacent toone another, all filter-mapping directives appear adjacent to one another, allservlet directives ... Tomcat的过滤指令要求所有彼此相邻,所有过滤器映射指令出现彼此相邻,所有servlet指令... and so on.等等。This is because Tomcatvalidates the web.xml against the deployment descriptor DTD.这是因为Tomcat对验证的DTD的web.xml部署描述符。
MalformedURLException: unknown protocol: smbMalformedURLException:未知协议:中小企业
If you get the following exception try upgrading tojcifs-0.7.0b12 or later.如果你得到下面的异常尝试升级到jcifs - 0.7.0b12或更高版本。Also read the FAQ .另请阅读常见问题。
ExceptionMalformedURLException: unknown protocol: smb例外MalformedURLException:未知协议:中小企业
atjava.net.URL.(URL.java:480)在中java.net.URL(URL.java:480)。
atjava.net.URL.(URL.java:376)在中java.net.URL(URL.java:376)。
atjava.net.URL.(URL.java:330)在中java.net.URL(URL.java:330)。
atjcifs.smb.SmbFile.(SmbFile.java:355)在jcifs.smb.SmbFile(SmbFile.java:355)。
... ...
TransparentAuthentication and the Network Password Dialog透明的认证和网络密码对话框
If the Filter is working properly the Network PasswordDialog should never appear.如果过滤器正常工作的网络密码对话框应该永远不会出现。However there are several requirements that must be metfor a web browser to transparently negotiate credentials using NTLM HTTPauthenication.但是,必须有一个Web浏览器开会商讨透明使用NTLM认证的HTTP authenication几个要求。If any of these requirements are not met, the defaultbehavior is to present the user with the Network Password dialog.如果任何这些要求得不到满足,默认的行为是目前与用户的网络密码对话框。The requirements are:的要求是:
1. The clientmust be logged into the Windows NT domain identified by thejcifs.smb.client.domain parameter (or the domain of the host identified by thejcifs.smb.client.domainController parameter if it is used instead).客户端必须登录到Windows NT的jcifs.smb.client.domain参数(或参数标识的jcifs.smb.client.domainController如果用它代替主域)确定域。The client mayalso be logged into a domain that has a trust relationship with the targetdomain.客户端可以被记录到域具有与目标域的信任关系。Indeed it is not uncommon to configure workstations tojoin a different domain from those of users.事实上,这并非罕见配置工作站加入一个从用户的不同领域。Note that Windows 95/98/ME systems cannot really join adomain but can be configured to do so enough to participate in transparent NTLMHTTP authentication.请注意,Windows 95/98/ME系统不能真正加入域,但可以这样做配置足够透明的NTLM身份参加HTTP认证。
2. Only InternetExplorer will negotiate NTLM HTTP authentication transparently.只有Internet Explorer将使用NTLM HTTP认证透明的谈判。Mozilla will always prompt theuser for credentials (someone please notify us when/if this is not trueanymore). Mozilla将总是提示用户输入凭据(某人请通知我们,当/如果这是不是真的了)。At the timethis FAQ was written it was not known which other browsers, if any, cannegotiate NTLM HTTP authenication transparently.当时写这本FAQ不知道还有哪些浏览器,如果有的话,可以协商NTLM身份的HTTP authenication透明。
3. Either thetarget URL must contain a server in the local domain (eg ws1.mycompany.com) orthe client's security settings must be changed (eg Tools > Internet Options> Security > Local Intranet > Sites > Advanced > add your site).无论是目标URL必须包含本地域中(例如ws1.mycompany.com)或客户端的安全设置的服务器必须被改变(如工具>“Internet选项”>安全“本地Intranet>网站>”高级>“添加您的网站)。If the URL does not contain a URL in the defined IntrAnetzone (eg not an IP address), Internet Explorer will assume that the server isin the IntErnet zone and present the user with the Network Password dialog.如果URL中不包含在定义的Intranet区域(如不是一个IP地址)的网址,IE浏览器将假定服务器在Internet区域和目前与用户的网络密码对话框。It would be very bad if a server on the Internet couldconvince IE to send it your NTLM password hashes.这将是一个非常不好,如果互联网上的服务器能够说服IE浏览器发送给您的使用NTLM密码散列。These hashes are easily cracked with brute forcedictionary attacks.这些都是很容易与蛮力破解哈希字典攻击。To prevent this scenario, IE tries to distinguish betweenIntranet sites and Internet sites.为了防止这种情况下,IE浏览器试图区分内部网站和互联网网站。Here are someimportant notes to consider when deploying a site with NTLM HTTP Authenticationregardless of whether or not jCIFS is used to do it.下面是一些重要事项时需要考虑部署一个使用NTLM HTTP认证的网站,无论是否jCIFS是用来做它。
o InternetExplorer May Prompt You for a Password Internet Explorer可能会提示您输入密码
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q258063http://support.microsoft.com/default.aspx?scid=kb;恩美;
Q258063
o How to UseSecurity Zones in Internet Explorer如何使用Internet Explorer安全区域
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q174360http://support.microsoft.com/default.aspx?scid=kb;恩美;
Q174360
o An IntranetSite Is Identified as an Internet Site When You Use an FQDN or IP Address Intranet网站被标识为一个互联网网站时,你使用FQDN或IP地址
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303650http://support.microsoft.com/default.aspx?scid=kb;恩美;
Q303650
4. The user'scredentials must be valid.用户的凭据必须是有效的。For example if the account has expired, been disabled oris locked out the Network Password dialog will appear.例如,如果该帐户已过期,被禁用或锁定网络密码对话框将会出现。To determine which error was at fault it will benecessary to modify the NtlmHttpFilter to inspect the SmbAuthException indoFilter.要确定哪些错误有过错,有必要修改NtlmHttpFilter检查中的doFilter SmbAuthException。
5. The jCIFSclient must support the lmCompatibility level necessary for communication withthe domain controller.该jCIFS客户端必须支持lmCompatibility水平与域控制器的通信需要。If the server does not permit NTLMv1 try to setjcifs.smb.lmCompatibility = 3.如果服务器不允许NTLMv1尝试设置jcifs.smb.lmCompatibility = 3。
Personal Workstation ADSecurity Policy个人工作站AD安全政策
If your Active Directory security policy requires thatusers only log into the domain from their personal workstations JCIFS will failto authenticate and the server security log will have entries like"\\JCIFS10_40_4A cannot be authorized".如果您的Active Directory安全政策要求用户只能从他们的JCIFS到个人工作站将无法登录到域验证和服务器的安全日志将有类似“\ \ JCIFS10_40_4A无法授权”的条目。This occurs because the domain controller is failing toresolve the dynamically generated "calling name" submitted by theclient during protocol negotiation.这是因为域控制器是未能有效解决动态生成的“来电姓名”,由客户端提交的协议协商过程中。To get around this it is necessary to set the jcifs.netbios.hostname property to a valid NetBIOS name that can be resolved bythe NetBIOS name service (eg WINS) and add that name to the AD security policyas a permitted client.为了解决这个问题,有必要设置jcifs.netbios.hostname属性为有效的NetBIOS名称都可以)解决NetBIOS名称服务(如WINS和补充,更名为许可客户端AD安全政策。
For example, you can set this property using aninit-paremeter in the web.xml file for the NTLM HTTP filter as follows:例如,您可以使用此属性设置为HTTP的web.xml文件的NTLM一个INIT - paremeter过滤器如下:
<init-parameter><init-parameter>
<parameter-name>jcifs.netbios.hostname</parameter-name><parameter-name> jcifs.netbios.hostname </参数名>
<parameter-value>MYHOSTNAME</parameter-value><parameter-value> MYHOSTNAME </参数值>
</init-parameter> </ init的参数>
HTTP POST and ProtectingSub-Content HTTP POST和保护小组内容
Once IE has negotiated NTLM HTTP authentication it willproactively renegotiate NTLM for POST requests for all content associated withthe server (based on IP?).一旦谈判NTLM身份IE的HTTP验证它会主动重新谈判与服务器相关的所有内容POST请求的NTLM(基于IP的?)。Therefore when using HTTP POST requests it is notpossible to restrict access to some content on the server as IE will attemptand fail to negotiate NTLM (standard IE error page?).因此,当使用HTTP POST请求是不可能限制访问服务器上的一些内容,IE浏览器将尝试,不谈判的NTLM(标准的IE错误页?)。This is a protocol limitationand there does not appear to be a way to convince IE to stop proactivelynegotiating for POST requests once it has been determined that the server iscapable of negotiating NTLM authentication.这是协议限制,似乎没有被说服IE浏览器的方式主动停止POST请求一旦谈判已确定该服务器是NTLM身份验证的谈判能力。
SMB Signatures and Windows 2003中小企业签名和Windows 2003
If the domain controller against which you areauthenticating clients requires SMB signatures (Windows 2003 does by default),it is recommended that you provide init-parameters for the jcifs.smb.client.{domain,username,password} to perform "preauthentication"for each transport to a domain contoller so that a proper SMB signing key willbe generated.如果域控制器,你对客户的需要进行身份验证的SMB签名(Windows 2003中默认是通过),建议您提供的init - jcifs.smb.client参数的。{域,用户名,密码}执行“预身份验证”每到一个域位指示运输,使正确的SMB签名的密钥将被生成。In fact, this may be necessaryfor proper operation; it has been observed that NT 4.0 does not check thesignatures of authentication requests but the behavior has not been confirmedin all environments.事实上,这可能是正确的操作必需,它已被观察到的NT 4.0不检查认证的要求,但该行为并未在所有环境中证实了签名。If the Filterworks for the first authentication but fails with a second user shortlythereafter this would suggest that signing was established but subsequentauthentications are failing due to the lack of a good signing key.如果过滤工程,第一个身份验证失败,但第二个用户此后不久,这将表明,签约成立认证失败了,但随后由于缺乏关键的一个好签。Additionally, without a proper signing key certainrequests ( SMB_COM_TREE_DISCONNECT and SMB_COM_LOGOFF_ANDX ) will causesignature verification failures (although they are harmless to the client).另外,没有适当的签名密钥SMB_COM_LOGOFF_ANDX)若干请求(SMB_COM_TREE_DISCONNECT,将导致签名验证失败(尽管它们是无害的客户端)。
A third solution for signature issues is to change the jcifs.smb.client.ssnLimit to 1.一个签字问题解决方案,第三是改变jcifs.smb.client.ssnLimit为1。This will require that every authentication uses aseparate transport.这就要求每一个身份验证使用一种单独的传输。Because the MAC signing key is only used on SMBcommunication occuring after the initial authentication, signing will beeffectively ignored.因为Mac签名密钥仅在SMB通信中使用后发生的初始身份验证,签署将有效地忽略。However, thissolution will significantly reduce scalability as each authentication will openit's own transport.然而,这个解决方案将大大减少,因为每个验证可扩展性,开放它自己的交通工具。For this reason the second solution of using a"workstation account" to preauthenticate transports is considered thesuperior method and should be used by default for servers that requiressignatures.对于这是否使用“工作站的帐户”,preauthenticate运输第二个解决方案被认为是优越的方法,并应在默认情况下用于服务器,需要签名的原因。
NTLM HTTP Authentication Protocol Details使用NTLM HTTP认证协议详细
The NTLM HTTP Authentication process is described well inthese documents:在NTLM HTTP认证过程很好地描述这些文件:
http://davenport.sourceforge.net/ntlm.htmlhttp://davenport.sourceforge.net/ntlm.html
http://www.innovation.ch/java/ntlm.htmlhttp://www.innovation.ch/java/ntlm.html
The process can be summarized as a 3 request/response"handshake".这一过程可以概括为三请求/响应“握手”。So doGet() will be called three times.所以的doGet()会被调用三次。The first is the initialrequest.第一个是最初的请求。A 401 Unauthorized is sent back to which IE submits a special messageencoded in a header.401未经授权被送回被IE提交一个特殊的信息编码在一个头。Another 401 Unauthorized is sent back after which IE submits the password hashes.另401未经授权被送回后IE浏览器提交的密码哈希。This is wherejCIFS comes in. The password hashes alone are useless.这是jCIFS用武之地的密码哈希仅是无用的。You must check their authenticity against the passworddatabase on a server somewhere (actually you can specify the IP of a plainworkstation or any other SMB server).你必须检查自己的服务器上对密码数据库的真实性地方(其实你可以指定一个普通的工作站或任何其他SMB服务器的IP)。Otherwise a user who's workstation is not a member of thedomain will get a password dialog into which they could put anything and itwould let them in. This is what pretty much all the examples seen in variousforums do.否则用户谁的工作站不是域将得到一个密码对话框成员到他们可以把任何东西,这将让他们进来,这就是几乎所有的例子,在各种论坛上看到做。Don't be fooled.不要被愚弄。
[1] Due to restrictions in how protocolhandlers are loaded, if the SMB URL protocol handler is to be used (meaning youwant to access SMB resources with smb:// URLs) within your application it isnecessary for the jCIFS jar to be loaded by the System class loader.[1]由于被加载到协议的限制,如何处理,如果SMB URL协议处理程序是使用(意思是你要访问资源与SMB中小企业:/ /网址)在您的应用程序是必要的罐子被jCIFS加载系统类加载器。This can usuallybe achived by placing it in the container lib/ directory.这通常可以达到目录中放置在容器中库/。However, forcontainers that load servlet classes in a child classloaders (Tomcat) this toowill cause problems as jCIFS will not be able to load javax.servlet.* classes.然而,对于容器(Tomcat)的servlet类加载在子类加载器这也将可能会带来问题jCIFS将无法加载javax.servlet包.*类。To get the filterand the URL protocol handler to operate together requires some experimentationand depends on the container being used.为了得到过滤和URL协议处理程序同时运行,需要一些试验和使用取决于容器的福利。