Bug in NtlmHttpFilter

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug in NtlmHttpFilter

Iliya Roubin
I have deployed the NtlmHttpFilter with the same configuration as
described in http://jcifs.samba.org/src/docs/ntlmhttpauth.html:

<filter>
    <filter-name>NtlmHttpFilter</filter-name>
    <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

    <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>MYDOMAIN</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.netbios.wins</param-name>
        <param-value>server1,server2</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>NtlmHttpFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

With IE and FireFox everything works fine (I can see that logon requests
are load balanced between server1 and server2), but with Safari and
Konqueror I get the following exception:

jcifs.smb.SmbException:
java.lang.ArrayIndexOutOfBoundsException
    at java.lang.System.arraycopy(Native Method)
    at jcifs.smb.SigningDigest.<init>(SigningDigest.java:42)
    at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:260)
    at jcifs.smb.SmbSession.send(SmbSession.java:223)
    at jcifs.smb.SmbTree.treeConnect(SmbTree.java:144)
    at jcifs.smb.SmbSession.logon(SmbSession.java:161)
    at jcifs.smb.SmbSession.logon(SmbSession.java:154)
    at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:182)
    at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
    at
com.atlassian.jira.web.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:25)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:37)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:72)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
    at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
    at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)

    at jcifs.smb.SigningDigest.<init>(SigningDigest.java:59)
    at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:260)
    at jcifs.smb.SmbSession.send(SmbSession.java:223)
    at jcifs.smb.SmbTree.treeConnect(SmbTree.java:144)
    at jcifs.smb.SmbSession.logon(SmbSession.java:161)
    at jcifs.smb.SmbSession.logon(SmbSession.java:154)
    at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:182)
    at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
    at
com.atlassian.jira.web.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:25)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:37)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:72)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
    at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
    at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)

Reply | Threaded
Open this post in threaded view
|

Re: Bug in NtlmHttpFilter

Michael B Allen-4
On Thu, 23 Mar 2006 16:55:46 +0300
Iliya Roubin <[hidden email]> wrote:

> I have deployed the NtlmHttpFilter with the same configuration as
> described in http://jcifs.samba.org/src/docs/ntlmhttpauth.html:
>
> <filter>
>     <filter-name>NtlmHttpFilter</filter-name>
>     <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>
>     <init-param>
>         <param-name>jcifs.smb.client.domain</param-name>
>         <param-value>MYDOMAIN</param-value>
>     </init-param>
>     <init-param>
>         <param-name>jcifs.netbios.wins</param-name>
>         <param-value>server1,server2</param-value>
>     </init-param>
> </filter>
>
> <filter-mapping>
>     <filter-name>NtlmHttpFilter</filter-name>
>     <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> With IE and FireFox everything works fine (I can see that logon requests
> are load balanced between server1 and server2), but with Safari and
> Konqueror I get the following exception:
>
> jcifs.smb.SmbException:
> java.lang.ArrayIndexOutOfBoundsException
>     at java.lang.System.arraycopy(Native Method)
>     at jcifs.smb.SigningDigest.<init>(SigningDigest.java:42)
>     at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:260)

Strange. This looks like the SmbTransport.server.encryptionKey is not
being initialized properly.

Do Safari and Konqueror support NTLM HTTP authentication? Regardless the
code should be debugged further to determine where the initialization
failure is occurring and either fix it or throw a more appropriate
exception. I'll add this to The List but I can't guarantee I will perform
the necessary work to include a fix. I don't think I have Konqueror and
I'm not certain I want to mess up my mac trying to figure out how to
join it to the domain.

If you perform a more detailed analysis please let us know.

Mike