https://issues.apache.org/bugzilla/show_bug.cgi?id=46323
--- Comment #4 from Candid Dauth <cdauth+issues.apache....@cdauth.de> 2010-02-11 12:38:42 UTC --- If I understand it right, an NTLM token (or whatever you call it) consists of the encrypted username and password (and in NTLMv2 the hostname you authenticate to). When I want to log on to an SMB share with a user whose password I don't know, I cannot forge his NTLM token because I don't know his password. If I try to log on with an NTLM token that in fact contains the correct username, Windows will (at least I suppose so) check the token for the right password. Do you, in your code, perform a validation anywhere or do you just extract the username out of the NTLM token? Can I create an NTLM token with the right username but a wrong password and the login will still work? If so (and I could not find any validation in your code), this authenticator is only applicable for information, not for authentication/authorisation, thus I would not include it in the Tomcat distribution to avoid confusion. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
