NTLM HTTP Authentication

  • Tags: security
  • Latest: 0.6
  • Last Updated: 17 November 2010
  • Grails version: 1.1 > *
  • Authors: null
0 vote
Dependency:
compile ":ntlm-auth:0.6"

 Documentation

Summary

Installation

To install type:
grails install-plugin ntlm-auth

Description

NTLM Authentication Plugin

Overview

Sometimes, the requirement for web applications on corporate network is to provide a Single Sign On (SSO) functionality by using NTLM authentication and session security protocols. Microsoft Internet Explorer and Firefox (after some tweaking) have the ability to negotiate NTLM password hashes over an HTTP session thus relieving the user from entering username and password if their workstation is a member of the domain.

This plugin provides such functionality by creating a filter that authenticate users against a domain. It uses jCIFS library for NTLM authentication. The filter and configuration parameters are described here.

Currently, this plugin only works with NTLMv1 as it uses jCIFS and its NtlmHttpFilter .

Usage

  1. Install the plugin:
    grails install-plugin ntlm-auth
  2. Add the configuration file:
    grails install-ntlm-auth-config
    to install the config file in grails-app/conf/NtlmAuthConfig.groovy .
  3. Configure the NTLM parameters.

Configuration

Enter the required data in NtlmAuthConfig.groovy configuration file.

jcifs.http.domainController = 'DC ADDRESS'
jcifs.smb.client.domain = 'A DOMAIN'
jcifs.smb.client.username = 'USERNAME'
jcifs.smb.client.password = 'PASSWORD'

where jcifs.http.domainController is the IP address of any SMB server that should be used to authenticate HTTP clients and jcifs.smb.client.domain is the NT domain against which clients should be authenticated.

The plugin supports environment based configuration, so this will work:

environments {
    development {
        jcifs {
            http.domainController = 'DC ADDRESS'
            smb.client.domain = 'A DOMAIN'
            smb.client.username = 'USERNAME'
            smb.client.password = 'PASSWORD'
        }
    }
    production {
        jcifs {
            http.domainController = 'PROD DC ADDRESS1,DS ADDRESS2'
            smb.client.domain = 'PROD DOMAIN'
            smb.client.username = 'USERNAME'
            smb.client.password = 'PASSWORD'
        }
    }
}

Plugin can be disabled by setting the active property to false (plugin is active by default):

active = false
jcifs {
    ....
}

It is also possible to configure the plugin via Config.groovy . Configuration parameters need to be prefixed with ntlmAuth :

ntlmAuth.jcifs.http.domainController = 'DC ADDRESS'
ntlmAuth.jcifs.smb.client.domain = 'A DOMAIN'
ntlmAuth.jcifs.smb.client.username = 'USERNAME'
ntlmAuth.jcifs.smb.client.password = 'PASSWORD'

Configuration in Config.groovy overrides the one in NtlmAuthConfig.groovy .

For more information about NTLM configuration parameters please see here.

The authenticated user that makes the request can be accessed through request.remoteUser .

History

0.6 (2010-11-17)

  • ntlm-auth now handles insertion into web descriptor's filter-mapping better. It places itself after Spring's char encoding filter more reliably.
  • fixed long standing bug/typo in catching the exception during configuration reading (thanks to Andrei Papkov)

0.5 (2009-10-18)

  • added configuration parameter active .
  • configuration can also be done in Config.groovy ,
  • ntlm authentication filter is placed after Spring character encoding filter

0.4

Initial public release