jespa.ntlm

Class NtlmResponse

java.lang.Object

jespa.ntlm.NtlmResponse

public class NtlmResponse
extends java.lang.Object

NTLM is a "challenge and response" system. The server sends the client a "challenge" to which the client supplies a "response". An object of this type represents that "response" and other information accumulated by the NTLM acceptor during the NTLMSSP token exchange. After the token exchange has completed, an object of this type is constructed and supplied to NtlmSecurityProvider.authenticate(java.lang.Object) as the credential to be authenticated.

Creating a Custom NtlmSecurityProvider Authority

These classes are arranged specifically to allow an NtlmResponse object to be constructed manually (such as with data from a local SQL database) and then compared directly with the response supplied to the authenticate method in a subclass of NtlmSecurityProvider. The following code fragment (copied from src/jespa/examples/MyNtlmSecurityProvider.java) demonstrates how this is done:

 public void authenticate(Object credential) throws SecurityProviderException
 {
     String nbtName = (String)getProperty("domain.netbios.name");
     String dnsName = (String)getProperty("domain.dns.name");
     String myusername = (String)getProperty("my.username");
     String mypassword = (String)getProperty("my.password");
 
     if (credential instanceof NtlmResponse) {
         NtlmResponse resp = (NtlmResponse)credential;
         String domain = resp.getDomain();
         String username = resp.getUsername();
 
         if (domain == null || domain.trim().length() == 0)
             domain = nbtName;
 
         if (domain.equalsIgnoreCase(nbtName) || domain.equalsIgnoreCase(dnsName)) {
             /* If the domain was not supplied or matches our domain, we are the
              * authority for the account.
              */
             if (username.equalsIgnoreCase(myusername)) {
                 /* Build another NtlmResponse object with the raw credentials and then
                  * directly compare it with the one supplied by the client.
                  */
 
                 NtlmResponse local = new NtlmResponse(resp,
                             domain,
                             myusername,
                             mypassword.toCharArray(),
                             getTargetInformation());
                 if (resp.equals(local)) {
                     return; // SUCCESS
                 }
 
                 throw new SecurityProviderException(SecurityProviderException.STATUS_INVALID_CREDENTIALS,
                         "Invalid credentials for " + domain + '\\' + username);
             }
         }
         throw new SecurityProviderException(SecurityProviderException.STATUS_ACCOUNT_NOT_FOUND,
                 "Account not found for " + domain + '\\' + username);
 ...
 

Alternatively, the supplied response domain and username could be used to lookup the corresponding password in a local database.

Additionally, if the domain is was not correct or was not supplied, a supercall could be used to then fall-back to validating the NtlmResponse using the NETLOGON service.

Note: The domain is case sensitive. The same domain name in upper-case as opposed to lower-case will compute a different response. Meaning, once the domain is determined to match your "domain", the origial domain string acquired through the client supplied NtlmResponse must be used with the NtlmResponse constructor. Otherwise, users would have to enter the domain using a particular case.

Constructor Summary

Constructors

Constructor and Description
NtlmResponse(NtlmResponse clientResponse, java.lang.String domain, java.lang.String username, char[] password, byte[] targetInformation) Construct an NTLM response manually using the plaintext password that may be compared with the client supplied NTLM response.

Method Summary

Modifier and Type	Method and Description
boolean	equals(java.lang.Object obj)
java.lang.String	getDomain()
java.lang.String	getUsername()
java.lang.String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

NtlmResponse

public NtlmResponse(NtlmResponse clientResponse,
                    java.lang.String domain,
                    java.lang.String username,
                    char[] password,
                    byte[] targetInformation)

Construct an NTLM response manually using the plaintext password that may be compared with the client supplied NTLM response. In practice, this can only be performed in the NtlmSecurityProvider.authenticate(java.lang.Object) method as the client challenge, NTLMSSP flags, target information and other data is only accessible from within that method.

Parameters:

clientResponse - the NtlmResponse object passed to the NtlmResponse.authenticate method.

domain - the name of the domain that is an authority for the target account.

username - the username of the account within the above mentioned domain.

password - the plaintext password as a char[] array

targetInformation - the "target information" which can be acquired using the NtlmSecurityProvider.getTargetInformation method.

Method Detail

getDomain

public java.lang.String getDomain()

getUsername

public java.lang.String getUsername()

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object