NTLM Authentication in Jetspeed

NTLM Authentication can be used for Single Sign On (SSO) from a Windows client/browser. A nice explanation about NTLM can be found here. Jetspeed-2 supports NTLM Authentication based on the jCIFS Servlet filter. With the approach described below you can use NTLM Authentication with an optional fallback to the default active authentication and as such this solution can be used as a drop-in replacement. A typical application for a fallback login method would be when users log on to an intranet from a different domain: these users can be redirected to a login screen.

The solution below can also be used as a replacement for the default Security Valve: if you don't configure the filters, then Jetspeed's default authorization will be applied.

Configuring NTLM Authentication

Jetspeed-2 security configuration is explained here .

Configuring NTLM servlet filters

The first step is to configure jCIFS NTLM HTTP Authentication, which is explained here. You configure jCIFS as a filter in the web.xml of your webapp. Next, you must configure a second Jetspeed servlet filter, which must be placed right after the jCIFS filter. An example configuration:

<filter>
  <filter-name>NtlmHttpFilter</filter-name>
  <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
  <init-param>
    <param-name>jcifs.smb.client.domain</param-name>
    <param-value>SOME_DOMAIN</param-value>
  </init-param>
</filter>

<filter>
  <filter-name>NtlmHttpServletRequestFilter</filter-name>
  <filter-class>org.apache.jetspeed.security.impl.ntlm.NtlmHttpServletRequestFilter</filter-class>
  <init-param>
    <param-name>org.apache.jetspeed.security.ntlm.ignoreUrls</param-name>
    <param-value>/login/login</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>NtlmHttpFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
  <filter-name>NtlmHttpServletRequestFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Configuring NTLM Security Valve

The above filters set the correct credentials on the request. To use these credentials, you have to configure the org.apache.jetspeed.security.impl.ntlm.NtlmSecurityValve in the Jetspeed pipelines you want to secure. This Valve can be used as a replacement for the default SecurityValveImpl. For explanation about how to set up pipelines, see here. An example of how to configure the NtlmSecurityValve bean:

        
<bean id="securityValve" class="org.apache.jetspeed.security.impl.ntlm.NtlmSecurityValve" init-method="initialize">
  <constructor-arg>
    <ref bean="org.apache.jetspeed.security.UserManager" />
  </constructor-arg>
  <!-- Network domain. This value is optionally stripped from the authenticated user name -->
  <constructor-arg><value>SOME_DOMAIN</value></constructor-arg>
  <!-- Omit domain in user principal -->
  <constructor-arg><value>true</value></constructor-arg>
  <!-- 
     NTLM Authorization required. 
     If set to true, only users authenticated by NTLM authentication will be authorized. 
  -->
  <constructor-arg><value>false</value></constructor-arg>
</bean>