RE: Struts forwards and jCIFS NTLM

Attached is a ZIP (rename firewall-defeating .pdf extension to .zip) file containing a "fix" (there's probably a better way to accomplish it).

 
In brief, I simply surrounded the SmbSession.logon(dc, ntlm); call in NtlmHttpFilter.java with the following:

=======================================================
final String AUTHED = "NtlmHttpAuthenticated";
String authed = (String) req.getAttribute(AUTHED);

if (authed == null || authed.trim().equals("")) {
    SmbSession.logon(dc, ntlm);
}

req.setAttribute(AUTHED, AUTHED);
=======================================================

Will a fix for this issue make it into 1.2.7?

Thanks

________________________________

From: jcifs-bounces+jmahoney=ditech.com@xxxxxxxxxxxxxxx
Sent: Friday, November 18, 2005 10:59 AM
To: jcifs@xxxxxxxxxxxxxxx
Subject: RE: [jcifs] Struts forwards and jCIFS NTLM

I've attached a WAR that I've used to verify that NtlmHttpFilter does not work properly on servlet containers that reprocess filters during a RequestDispatcher#forward() request. You will need to add jcifs-1.2.6.jar into the WEB-INF/lib directory for the WAR to function.

Also, I found the following link interesting:
http://www.caucho.com/support/resin-interest/0208/0203.html

I'm using WebLogic 8.1.

Can anyone else verify my findings?

________________________________

From: jcifs-bounces+jmahoney=ditech.com@xxxxxxxxxxxxxxx
Sent: Tuesday, November 15, 2005 8:05 PM
To: jcifs@xxxxxxxxxxxxxxx
Subject: [jcifs] Struts forwards and jCIFS NTLM

We are experiencing the following issue with jCIFS 1.2.6 and Struts 1.1:

A "forward" in Struts actually causes the ServletRequest to get reprocessed through the filter chain, with headers from the most recent browser request intact (in this case, including the Type 3 message).

It appears NtlmHttpFilter is attempting to re-authenticate and since no 'NtlmHttpChal' session attribute exists (after being removed from the first successful authentication), a new 'NtlmHttpChal' token is created and set in the session. Unfortunately this new challenge token obviously does not match the existing Type 3 message's token, and thus the subsequent call to SmbSession.logon() fails. After enough of these failures, the account is locked out due to security policy.

Is there a known workaround to this? I was thinking a programmatic fix would be to set a request attribute indicating authentication had already occurred.

This is happening on GETs, not POSTs, btw.

Thanks

 

jCIFStest.pdf
Description: Binary data