I'm having some issues with jcifs picking up the wrong authenticated user. I suspect it is related to the "flow" of the application. I'll give as much background as I think is needed, but please let me know if you need more maybe point me in the right direction. This is a third party packaged application, so I don't have access to any of the servlet code.

First For Reference - Versions:
-JCIFS 1.3.17
-Java 1.7.0_42

The general flow/container layout of this application is such:

/servlet
-ext.min.js
*XMLHttpRequest -> /invokeSession.jsp

Within invokeSession.jsp, we are attempting to grab the "remote user" from the Session. However, what we're seeing is that the result returned for the remote user is the "admin" account that was used to fire up the 3rd party services (Tomcat underneath). For example. User XXX is logged into the desktop. When they hit the application, the logs are showing that User YYY (Admin account that the java services are running under) was authorized by JCIFS.

JCIFS is configured as below in the web.xml:

<filter>
	<filter-name>NtlmHttpFilter</filter-name>
	<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
	<init-param>
		<param-name>jcifs.http.domainController</param-name>
		<param-value>X.X.X.X</param-value>
	</init-param>
	<init-param>
		<param-name>jcifs.util.loglevel</param-name>
		<param-value>10</param-value>
	</init-param>
</filter>
<filter-mapping>
	<filter-name>NtlmHttpFilter</filter-name>
	<url-pattern>/invokeSession.jsp</url-pattern>
</filter-mapping>

The XMLHttpRequest is formatted as such from within ext.min.js, but have left out a lot of the ansillary code:

xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "/invokeSession.jsp", false);
xmlhttp.setRequestHeader("Method", "POST " + "/invokeSession.jsp" + " HTTP/1.1");
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

The relavent code from invokeSession.jsp that is getting the remote user is:

String auth = request.getHeader("Authorization");
String user_str = " ";
String username = " ";
String domain = " ";
String browserType = (String)request.getHeader("User-Agent");
Cookie[] cookies2 = request.getCookies();
 
String browser = "other";
if (browserType.indexOf("MSIE") > 0 )
  {
    browser = "MSIE";
  }
if (browserType.indexOf("CHROME") > 0 )
  {
    browser = "Chrome";
  }
if (cookies2 != null)
  {
    for(int loopIndex = 0; loopIndex < cookies2.length; loopIndex++)
      {
        if (cookies2[loopIndex].getName().equals("sessionId"))
          {
            String sid = cookies2[loopIndex].getValue();
            if (sid.length() >= 10)
              {
                out.println("0");
                return;
              }
          }
      }
  }
user_str = request.getRemoteUser();
String [] tokens = user_str.split("[\\\\]");
int num_tokens = tokens.length;
if (num_tokens == 1 )
  {
    username = tokens[0];
    domain = "NONE";
  }
else
  {
    domain = tokens[0];
    username = tokens[1];
  }
boolean initialized = false;
if( username != null && username.length() > 0 )
  {
    try
    {
 	 	...
    }
    catch( Exception e )
    {
      e.printStackTrace();
    }
  }
out.println("0");

The username always comes back null, but in the application logs we can see the debug output of JCIFS that is showing the admin user that started the application server. So, my main questions are why remoteUser is coming back null from invokeSession, and why JCIFS is authenticating the wrong user?