jcifs loses post parameters

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

jcifs loses post parameters

Abhijeet Sarwate
I use JCIFS for NTLM authentication in my app in following way :
 
if user is already logged in the domain don't call JCIFS, call next filter
else
   call JCIFS filter to authenticate user
 
 
Now what happens is, if the user is already authenticated and user has  a request that contains POST data, it still tries to authenticate and during that process it loses all the POST data.
 
Here is the code snipppet:
 

     HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse resp = (HttpServletResponse)response;
       
        HttpSession session = req.getSession(true);

        NtlmPasswordAuthentication ntlmPrincipal =
            (NtlmPasswordAuthentication) session.getAttribute("ntlmPrincipal");       
       
        if (ntlmPrincipal  == null) {
            ntlmPrincipal = negotiate(req, resp, false);
            if (ntlmPrincipal  == null) {
             LOG.error("Unable to authenticate user....(null): " + req.getRemoteUser() );
                return;
            }else{
             session.setAttribute ("ntlmPrincipal",ntlmPrincipal);
             LOG.error("authenticated user....: " +ntlmPrincipal.getUsername() );
            }
        }else{
            LOG.debug("User is already authenticated :" + ntlmPrincipal.getUsername());
        }
        
        chain.doFilter(new CECHttpServletRequest (req, ntlmPrincipal), response);
    }

Is this expected ?

Reply | Threaded
Open this post in threaded view
|

RE: jcifs loses post parameters

Tapperson Kevin
See:
and:
 


From: jcifs-bounces+kevin.tapperson=[hidden email] [mailto:jcifs-bounces+kevin.tapperson=[hidden email]] On Behalf Of Abhijeet Sarwate
Sent: Tuesday, January 24, 2006 9:22 AM
To: [hidden email]
Subject: [jcifs] jcifs loses post parameters

I use JCIFS for NTLM authentication in my app in following way :
 
if user is already logged in the domain don't call JCIFS, call next filter
else
   call JCIFS filter to authenticate user
 
 
Now what happens is, if the user is already authenticated and user has  a request that contains POST data, it still tries to authenticate and during that process it loses all the POST data.
 
Here is the code snipppet:
 

     HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse resp = (HttpServletResponse)response;
       
        HttpSession session = req.getSession(true);

        NtlmPasswordAuthentication ntlmPrincipal =
            (NtlmPasswordAuthentication) session.getAttribute("ntlmPrincipal");       
       
        if (ntlmPrincipal  == null) {
            ntlmPrincipal = negotiate(req, resp, false);
            if (ntlmPrincipal  == null) {
             LOG.error("Unable to authenticate user....(null): " + req.getRemoteUser() );
                return;
            }else{
             session.setAttribute ("ntlmPrincipal",ntlmPrincipal);
             LOG.error("authenticated user....: " +ntlmPrincipal.getUsername() );
            }
        }else{
            LOG.debug("User is already authenticated :" + ntlmPrincipal.getUsername());
        }
        
        chain.doFilter(new CECHttpServletRequest (req, ntlmPrincipal), response);
    }

Is this expected ?

Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Michael B Allen-4
On Tue, 24 Jan 2006 09:36:21 -0600
"Tapperson Kevin" <[hidden email]> wrote:

> See:
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
> <http://jcifs.samba.org/src/docs/ntlmhttpauth.html>
>
> and:
>  
> http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfilter

Man this IE preemtive auth is a pain. Heres the KB article about it:

  http://support.microsoft.com/?id=251404

What I would like to know is what exactly IIS does if you perform the
server side solution mentioned:

 * Configure the Web site to permit both anonymous access and NLTM
   authentication (Integrated Windows authentication).

Even if anonymous access is enabled, why would that stop IE from
preemtively trying to authenticate?

Mike
Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Abhijeet Sarwate
Hi Mike
 
I have seen both the posts before. Where would you put that filter ? Inplace or after etc ?
 
Let me know
 
thanks for the quick response

 
On 1/24/06, Michael B Allen <[hidden email]> wrote:
On Tue, 24 Jan 2006 09:36:21 -0600
"Tapperson Kevin" <[hidden email]> wrote:

> See:
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
> < http://jcifs.samba.org/src/docs/ntlmhttpauth.html>
>
> and:
>
> http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfilter

Man this IE preemtive auth is a pain. Heres the KB article about it:

http://support.microsoft.com/?id=251404

What I would like to know is what exactly IIS does if you perform the
server side solution mentioned:

* Configure the Web site to permit both anonymous access and NLTM
  authentication (Integrated Windows authentication).

Even if anonymous access is enabled, why would that stop IE from
preemtively trying to authenticate?

Mike

Reply | Threaded
Open this post in threaded view
|

RE: jcifs loses post parameters

Tapperson Kevin
In reply to this post by Abhijeet Sarwate
The NTLMPostFilter that I had posted previously should be used in
conjunction with the NtlmHttpFilter.  It should be placed in the filter
chain BEFORE the NtlmHttpFilter.

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:jcifs-bounces+kevin.tapperson=[hidden email]]
On Behalf Of Abhijeet Sarwate
Sent: Wednesday, January 25, 2006 10:33 AM
To: Michael B Allen
Cc: Tapperson Kevin; [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Mike
 
I have seen both the posts before. Where would you put that filter ?
Inplace or after etc ?
 
Let me know
 
thanks for the quick response

 
On 1/24/06, Michael B Allen <[hidden email]> wrote:

        On Tue, 24 Jan 2006 09:36:21 -0600
        "Tapperson Kevin" < [hidden email]
<mailto:[hidden email]> > wrote:
       
        > See:
        > http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
        > < http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<http://jcifs.samba.org/src/docs/ntlmhttpauth.html> >
        >
        > and:
        >
        >
http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil
ter
       
        Man this IE preemtive auth is a pain. Heres the KB article about
it:
       
        http://support.microsoft.com/?id=251404
       
        What I would like to know is what exactly IIS does if you
perform the
        server side solution mentioned:
       
        * Configure the Web site to permit both anonymous access and
NLTM
          authentication (Integrated Windows authentication).
       
        Even if anonymous access is enabled, why would that stop IE from

        preemtively trying to authenticate?
       
        Mike
       


Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Abhijeet Sarwate
Kevin
 
Thanks for a very well researched solution.
 
abhijeet

 
On 1/25/06, Tapperson Kevin <[hidden email]> wrote:
The NTLMPostFilter that I had posted previously should be used in
conjunction with the NtlmHttpFilter.  It should be placed in the filter
chain BEFORE the NtlmHttpFilter.

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:[hidden email]]
On Behalf Of Abhijeet Sarwate
Sent: Wednesday, January 25, 2006 10:33 AM
To: Michael B Allen
Cc: Tapperson Kevin; [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Mike

I have seen both the posts before. Where would you put that filter ?
Inplace or after etc ?

Let me know

thanks for the quick response


On 1/24/06, Michael B Allen <[hidden email]> wrote:

       On Tue, 24 Jan 2006 09:36:21 -0600
       "Tapperson Kevin" < [hidden email]
<mailto:[hidden email]> > wrote:

       > See:
       > http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
       > < http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<http://jcifs.samba.org/src/docs/ntlmhttpauth.html> >
       >
       > and:
       >
       >
http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil
ter

       Man this IE preemtive auth is a pain. Heres the KB article about
it:

       http://support.microsoft.com/?id=251404

       What I would like to know is what exactly IIS does if you
perform the
       server side solution mentioned:

       * Configure the Web site to permit both anonymous access and
NLTM
         authentication (Integrated Windows authentication).

       Even if anonymous access is enabled, why would that stop IE from

       preemtively trying to authenticate?

       Mike




Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Abhijeet Sarwate
Hi Kevin
 
I see duplicate requests being submitted !
 
any workaround for this?
 
abhijeet

 
On 1/25/06, Abhijeet Sarwate <[hidden email]> wrote:
Kevin
 
Thanks for a very well researched solution.
 
abhijeet

 
On 1/25/06, Tapperson Kevin <[hidden email]> wrote:
The NTLMPostFilter that I had posted previously should be used in
conjunction with the NtlmHttpFilter.  It should be placed in the filter
chain BEFORE the NtlmHttpFilter.

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:[hidden email]]
On Behalf Of Abhijeet Sarwate
Sent: Wednesday, January 25, 2006 10:33 AM
To: Michael B Allen
Cc: Tapperson Kevin; [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Mike

I have seen both the posts before. Where would you put that filter ?
Inplace or after etc ?

Let me know

thanks for the quick response


On 1/24/06, Michael B Allen <[hidden email]> wrote:

       On Tue, 24 Jan 2006 09:36:21 -0600
       "Tapperson Kevin" < [hidden email]
<mailto:[hidden email]> > wrote:

       > See:
       > <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post" target="_blank">http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
       > < <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target="_blank">http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target="_blank"> http://jcifs.samba.org/src/docs/ntlmhttpauth.html> >
       >
       > and:
       >
       >
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil" target="_blank"> http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil
ter

       Man this IE preemtive auth is a pain. Heres the KB article about
it:

       <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://support.microsoft.com/?id=251404" target="_blank"> http://support.microsoft.com/?id=251404

       What I would like to know is what exactly IIS does if you
perform the
       server side solution mentioned:

       * Configure the Web site to permit both anonymous access and
NLTM
         authentication (Integrated Windows authentication).

       Even if anonymous access is enabled, why would that stop IE from

       preemtively trying to authenticate?

       Mike





Reply | Threaded
Open this post in threaded view
|

RE: jcifs loses post parameters

Tapperson Kevin
In reply to this post by Abhijeet Sarwate
You should see duplicate requests submitted.  This is how NTLM works with the HTTP post operation.
 
The first HTTP post request submitted should contain an NTLM type-1 message and NO post parameter data.  The server should respond with an HTTP 401 error response and an NTLM type-2 message.  The server should not attempt to do any sort of processing on the first request, other than rejecting it with the HTTP 401 error response.
The second post request submitted should contain an NTLM type-3 message AND the post parameter data.  The server should process this request.
 


From: Abhijeet Sarwate [mailto:[hidden email]]
Sent: Thursday, January 26, 2006 9:57 AM
To: Tapperson Kevin
Cc: [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Kevin
 
I see duplicate requests being submitted !
 
any workaround for this?
 
abhijeet

 
On 1/25/06, Abhijeet Sarwate <[hidden email]> wrote:
Kevin
 
Thanks for a very well researched solution.
 
abhijeet

 
On 1/25/06, Tapperson Kevin <[hidden email]> wrote:
The NTLMPostFilter that I had posted previously should be used in
conjunction with the NtlmHttpFilter.  It should be placed in the filter
chain BEFORE the NtlmHttpFilter.

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:[hidden email]]
On Behalf Of Abhijeet Sarwate
Sent: Wednesday, January 25, 2006 10:33 AM
To: Michael B Allen
Cc: Tapperson Kevin; [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Mike

I have seen both the posts before. Where would you put that filter ?
Inplace or after etc ?

Let me know

thanks for the quick response


On 1/24/06, Michael B Allen <[hidden email]> wrote:

       On Tue, 24 Jan 2006 09:36:21 -0600
       "Tapperson Kevin" < [hidden email]
<mailto:[hidden email]> > wrote:

       > See:
       > <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post" target=_blank>http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
       > < <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target=_blank>http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<<A onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target=_blank> http://jcifs.samba.org/src/docs/ntlmhttpauth.html> >
       >
       > and:
       >
       >
<A onclick="return top.js.OpenExtLink(window,event,this)" href="http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil" target=_blank>http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil
ter

       Man this IE preemtive auth is a pain. Heres the KB article about
it:

       <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://support.microsoft.com/?id=251404" target=_blank>http://support.microsoft.com/?id=251404

       What I would like to know is what exactly IIS does if you
perform the
       server side solution mentioned:

       * Configure the Web site to permit both anonymous access and
NLTM
         authentication (Integrated Windows authentication).

       Even if anonymous access is enabled, why would that stop IE from

       preemtively trying to authenticate?

       Mike





Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Abhijeet Sarwate
Hi Kevin
 
If that was the case, then it would have been fine. But I see duplication POST request and duplication POST data. So in short two requests are submitted WITH same POST DATA
 
abhijeet

 
On 1/26/06, Tapperson Kevin <[hidden email]> wrote:
You should see duplicate requests submitted.  This is how NTLM works with the HTTP post operation.
 
The first HTTP post request submitted should contain an NTLM type-1 message and NO post parameter data.  The server should respond with an HTTP 401 error response and an NTLM type-2 message.  The server should not attempt to do any sort of processing on the first request, other than rejecting it with the HTTP 401 error response.
The second post request submitted should contain an NTLM type-3 message AND the post parameter data.  The server should process this request.
 


From: Abhijeet Sarwate [mailto:[hidden email]]
Sent: Thursday, January 26, 2006 9:57 AM
To: Tapperson Kevin
Cc: [hidden email]

Subject: Re: [jcifs] jcifs loses post parameters

 
Hi Kevin
 
I see duplicate requests being submitted !
 
any workaround for this?
 
abhijeet

 
On 1/25/06, Abhijeet Sarwate <[hidden email]> wrote:
Kevin
 
Thanks for a very well researched solution.
 
abhijeet

 
On 1/25/06, Tapperson Kevin <[hidden email]> wrote:
The NTLMPostFilter that I had posted previously should be used in
conjunction with the NtlmHttpFilter.  It should be placed in the filter
chain BEFORE the NtlmHttpFilter.

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:[hidden email]]
On Behalf Of Abhijeet Sarwate
Sent: Wednesday, January 25, 2006 10:33 AM
To: Michael B Allen
Cc: Tapperson Kevin; [hidden email]
Subject: Re: [jcifs] jcifs loses post parameters

Hi Mike

I have seen both the posts before. Where would you put that filter ?
Inplace or after etc ?

Let me know

thanks for the quick response


On 1/24/06, Michael B Allen <[hidden email]> wrote:

       On Tue, 24 Jan 2006 09:36:21 -0600
       "Tapperson Kevin" < [hidden email]
<mailto:[hidden email]> > wrote:

       > See:
       > <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post" target="_blank">http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post
       > < <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target="_blank">http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jcifs.samba.org/src/docs/ntlmhttpauth.html" target="_blank"> http://jcifs.samba.org/src/docs/ntlmhttpauth.html> >
       >
       > and:
       >
       >
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil" target="_blank"> http://article.gmane.org/gmane.network.samba.java/3708/match=ntlmpostfil
ter

       Man this IE preemtive auth is a pain. Heres the KB article about
it:

       <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://support.microsoft.com/?id=251404" target="_blank"> http://support.microsoft.com/?id=251404

       What I would like to know is what exactly IIS does if you
perform the
       server side solution mentioned:

       * Configure the Web site to permit both anonymous access and
NLTM
         authentication (Integrated Windows authentication).

       Even if anonymous access is enabled, why would that stop IE from

       preemtively trying to authenticate?

       Mike






Reply | Threaded
Open this post in threaded view
|

Re: jcifs loses post parameters

Michael B Allen-4
In reply to this post by Abhijeet Sarwate
On Thu, 26 Jan 2006 10:56:32 -0500
Abhijeet Sarwate <[hidden email]> wrote:

> Hi Kevin
>
> I see duplicate requests being submitted !

Abhijeet,

I think you need to know how the NTLM HTTP authentication protocol
works to understand and resolve your issues. Details are at the end of
this page:

  http://jcifs.samba.org/src/docs/ntlmhttpauth.html#proto

Mike