RE: Struts forwards and jCIFS NTLM

I've attached a WAR that I've used to verify that NtlmHttpFilter does not work properly on servlet containers that reprocess filters during a RequestDispatcher#forward() request. You will need to add jcifs-1.2.6.jar into the WEB-INF/lib directory for the WAR to function.

Also, I found the following link interesting:
http://www.caucho.com/support/resin-interest/0208/0203.html

I'm using WebLogic 8.1.

Can anyone else verify my findings?

________________________________

From: jcifs-bounces+jmahoney=ditech.com@xxxxxxxxxxxxxxx
Sent: Tuesday, November 15, 2005 8:05 PM
To: jcifs@xxxxxxxxxxxxxxx
Subject: [jcifs] Struts forwards and jCIFS NTLM

We are experiencing the following issue with jCIFS 1.2.6 and Struts 1.1:

A "forward" in Struts actually causes the ServletRequest to get reprocessed through the filter chain, with headers from the most recent browser request intact (in this case, including the Type 3 message).

It appears NtlmHttpFilter is attempting to re-authenticate and since no 'NtlmHttpChal' session attribute exists (after being removed from the first successful authentication), a new 'NtlmHttpChal' token is created and set in the session. Unfortunately this new challenge token obviously does not match the existing Type 3 message's token, and thus the subsequent call to SmbSession.logon() fails. After enough of these failures, the account is locked out due to security policy.

Is there a known workaround to this? I was thinking a programmatic fix would be to set a request attribute indicating authentication had already occurred.

This is happening on GETs, not POSTs, btw.

Thanks

 

jCIFStest.war
Description: Binary data