Jespa - Java Active Directory Integration

Jespa is a Java software library that provides advanced integration between Microsoft Active Directory and Java applications.

The centerpiece of the Jespa library is it's implementation of the NTLM protocol. Jespa has the best 100% Java implementation of the NTLM protocol available anywhere. Jespa matches the functionality of the Windows NTLM SSP and supports all security policies exhibited by Windows clients and servers. Jespa fully implements NTLMv2 and uses it by default when acting as an initiator or acceptor.

Some of the things that you can do with Jespa include:

Implement NTLM Single Sign-On (SSO) for HTTP servers

Check Windows group membership

Enable NTLM authentication with AD using a JAAS LoginModule

Add NTLM to the builtin HTTP stack or another HTTP client

Use NTLM with SASL clients and SASL servers

Add NTLM to the standard JNDI LDAP client

Easily authenticate and encrypt network communication

Create advanced and custom solutions using our intuitive "security provider" API

Jespa Overview
PDF; 2 Pages

NTLMv2 and NTLM2 Session Security

Many financial and government sites now require NTLMv2 and specifically disallow the older DES based NTLMv1. Jespa matches the functionality of the Windows NTLM SSP and uses NTLMv2 with NTLM2 integrity and confidentiality by default. Jespa supports and uses the highest LmCompatibilityLevel, NtlmMinServerSec / NtlmMinClientSec and all permutations of NTLM that may be required by AD security policy for Windows Server 2008.

NTLM HTTP Single Sign-On (SSO) Authentication

Many web browsers support a type of Single Sign-On (SSO) authentication that uses NTLM. This is highly desirable feature because users do not need to enter their password at all. The website automatically authenticates the client and acquires information about the user like their username and what groups they're in. This type of functionality is easy with Jespa's HTTP servlet filter. When acting as a server, Jespa uses the NETLOGON service to properly validate credentials with Active Directory (more on that below). The Jespa HTTP servlet filter supports Windows group access control, form-based logins (and corresponding logout feature), anonymous access, an excludes list and much more. See The HttpSecurityFilter section in the Jespa Operator's Manual for details.

Windows Group Based Access Control

Jespa can check a users group membership using standard windows group names like:

  if (request.isUserInRole("EXAMPLE\\Engineers")) {
      // Only users in the Engineers group will be able to this

These checks are extremely fast. The user's fully expanded list of group SIDs is acquired during NETLOGON authentication. Once the group names within your code or configs have been translated into Windows SIDs they are cached for subsequent access checks. This means that group based access checks almost never require communication with the domain controller until the application is restarted.

Server-Side NTLM Authentication using the NETLOGON Service

Jespa can perform NTLM authentication as a server as well as the client. And it does it just like Windows - it uses the NETLOGON service with Secure Channel encryption. An HTTP servlet filter, SASL server and JAAS LoginModule are included with Jespa that use the NTLM security provider by default. For example, a Windows SASL client that uses the Windows NTLM SSP can authenticate with the Jespa SASL server and will automatically use the highest level of message integrity and confidentiality.

NTLM Authentication for HTTP Clients

Jespa includes an HTTP URL "handler" that allows the standard URL class to be used to retrieve NTLM protected resources on HTTP servers. The Jespa HttpURLConnection class can also be used directly. The Jespa NTLM security provider could be used to generate and consume the NTLMSSP tokens necessary to add NTLM authentication to virtually any HTTP client (or server).

JNDI NTLM Authentication and Channel Security

Jespa provides implementations of Java's SASL SPI for both the client and server that use the Jespa NTLM security provider by default. JCA factory classes are also provided to register the Jespa SASL implementation with Java so that it will be used by JNDI for LDAP communication. Meaning, Jespa will enable JNDI LDAP code to authenticate with Active Directory and encrypt all communication (which is frequently required by AD security policy).

Custom NTLM Solutions

Jespa can be used to create custom NTLM solutions. Jespa abstracts all security related operations in an easy-to-use "security provider" API. The NTLM security provider can be extended to allow authenticating NTLM clients against a local store of passwords and optionally fall-back to the NETLOGON service.