Struts forwards and jCIFS NTLM

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Struts forwards and jCIFS NTLM

Justin Mahoney
Struts forwards and jCIFS NTLM

We are experiencing the following issue with jCIFS 1.2.6 and Struts 1.1:

A "forward" in Struts actually causes the ServletRequest to get reprocessed through the filter chain, with headers from the most recent browser request intact (in this case, including the Type 3 message).

It appears NtlmHttpFilter is attempting to re-authenticate and since no 'NtlmHttpChal' session attribute exists (after being removed from the first successful authentication), a new 'NtlmHttpChal' token is created and set in the session. Unfortunately this new challenge token obviously does not match the existing Type 3 message's token, and thus the subsequent call to SmbSession.logon() fails. After enough of these failures, the account is locked out due to security policy.

Is there a known workaround to this? I was thinking a programmatic fix would be to set a request attribute indicating authentication had already occurred.

This is happening on GETs, not POSTs, btw.

Thanks

Reply | Threaded
Open this post in threaded view
|

RE: Struts forwards and jCIFS NTLM

Justin Mahoney
RE: [jcifs] Struts forwards and jCIFS NTLM

I've attached a WAR that I've used to verify that NtlmHttpFilter does not work properly on servlet containers that reprocess filters during a RequestDispatcher#forward() request. You will need to add jcifs-1.2.6.jar into the WEB-INF/lib directory for the WAR to function.

Also, I found the following link interesting:
http://www.caucho.com/support/resin-interest/0208/0203.html

I'm using WebLogic 8.1.

Can anyone else verify my findings?



________________________________

From: jcifs-bounces+jmahoney=[hidden email]
Sent: Tuesday, November 15, 2005 8:05 PM
To: [hidden email]
Subject: [jcifs] Struts forwards and jCIFS NTLM



We are experiencing the following issue with jCIFS 1.2.6 and Struts 1.1:

A "forward" in Struts actually causes the ServletRequest to get reprocessed through the filter chain, with headers from the most recent browser request intact (in this case, including the Type 3 message).

It appears NtlmHttpFilter is attempting to re-authenticate and since no 'NtlmHttpChal' session attribute exists (after being removed from the first successful authentication), a new 'NtlmHttpChal' token is created and set in the session. Unfortunately this new challenge token obviously does not match the existing Type 3 message's token, and thus the subsequent call to SmbSession.logon() fails. After enough of these failures, the account is locked out due to security policy.

Is there a known workaround to this? I was thinking a programmatic fix would be to set a request attribute indicating authentication had already occurred.

This is happening on GETs, not POSTs, btw.

Thanks

 


jCIFStest.war (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Struts forwards and jCIFS NTLM

Justin Mahoney
In reply to this post by Justin Mahoney
RE: [jcifs] Struts forwards and jCIFS NTLM

Attached is a ZIP (rename firewall-defeating .pdf extension to .zip) file containing a "fix" (there's probably a better way to accomplish it).

 
In brief, I simply surrounded the SmbSession.logon(dc, ntlm); call in NtlmHttpFilter.java with the following:

=======================================================
final String AUTHED = "NtlmHttpAuthenticated";
String authed = (String) req.getAttribute(AUTHED);

if (authed == null || authed.trim().equals("")) {
    SmbSession.logon(dc, ntlm);
}

req.setAttribute(AUTHED, AUTHED);
=======================================================

Will a fix for this issue make it into 1.2.7?

Thanks


________________________________

From: jcifs-bounces+jmahoney=[hidden email]
Sent: Friday, November 18, 2005 10:59 AM
To: [hidden email]
Subject: RE: [jcifs] Struts forwards and jCIFS NTLM



I've attached a WAR that I've used to verify that NtlmHttpFilter does not work properly on servlet containers that reprocess filters during a RequestDispatcher#forward() request. You will need to add jcifs-1.2.6.jar into the WEB-INF/lib directory for the WAR to function.

Also, I found the following link interesting:
http://www.caucho.com/support/resin-interest/0208/0203.html

I'm using WebLogic 8.1.

Can anyone else verify my findings?



________________________________

From: jcifs-bounces+jmahoney=[hidden email]
Sent: Tuesday, November 15, 2005 8:05 PM
To: [hidden email]
Subject: [jcifs] Struts forwards and jCIFS NTLM



We are experiencing the following issue with jCIFS 1.2.6 and Struts 1.1:

A "forward" in Struts actually causes the ServletRequest to get reprocessed through the filter chain, with headers from the most recent browser request intact (in this case, including the Type 3 message).

It appears NtlmHttpFilter is attempting to re-authenticate and since no 'NtlmHttpChal' session attribute exists (after being removed from the first successful authentication), a new 'NtlmHttpChal' token is created and set in the session. Unfortunately this new challenge token obviously does not match the existing Type 3 message's token, and thus the subsequent call to SmbSession.logon() fails. After enough of these failures, the account is locked out due to security policy.

Is there a known workaround to this? I was thinking a programmatic fix would be to set a request attribute indicating authentication had already occurred.

This is happening on GETs, not POSTs, btw.

Thanks

 


jCIFStest.pdf (24K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Struts forwards and jCIFS NTLM

Michael B Allen-4
On Fri, 18 Nov 2005 12:09:13 -0800
Justin Mahoney <[hidden email]> wrote:

> Attached is a ZIP (rename firewall-defeating .pdf extension to .zip) file
> containing a "fix" (there's probably a better way to accomplish it).
>  
> In brief, I simply surrounded the SmbSession.logon(dc, ntlm); call in
> NtlmHttpFilter.java with the following:
>
> =======================================================
> final String AUTHED = "NtlmHttpAuthenticated";
> String authed = (String) req.getAttribute(AUTHED);
>
> if (authed == null || authed.trim().equals("")) {
>     SmbSession.logon(dc, ntlm);
> }
>
> req.setAttribute(AUTHED, AUTHED);
> =======================================================
>
> Will a fix for this issue make it into 1.2.7?

Sorry, no. Unfortunately I don't have a suitable environment with which
to test this. I'll put it on The List for future reference though.

Mike