[jcifs] 0.7.3 -- ArrayIndexOutOfBoundsException with tomcat 4 .1.18 via is api_redirect.dll

Tony Cooke TCooke at elders.com.au
Tue Jul 29 10:34:59 EST 2003 

Hi Eric.

Thanks for your help but it didn't seem to solve the problem.
I have outlined the results below and included a snippet from the ISAPI 
log file if that helps. Otherwise I'll try and organise a packet trace.

> > The problem is I the following when I access Tomcat directly:
> > 
> > NTLM HTTP Authentication Example
> > DOMAIN\TC00H successfully logged in <===== All OK here. 
> Logged on OK.
> > Please submit some form data using POST
> >   
> > field1 = null 
> > 
> > but when I access it via the ISAPI redirector DLL I get the 
> following:
> > 
> > NTLM HTTP Authentication Example
> > successfully logged in <===== Errr... someone has logged in 
> but I don't see who.
> > Please submit some form data using POST
> >   
> > field1 = null 
> > 
> 
> If you're only seeing the problem under the connector, it's 
> probably not the
> web.xml.  I'm currently between working IIS-Tomcat connectors 
> right now (I'm
> having non-jCIFS-related issues), but try looking at the following:
>
> 1)  Ensure that anonymous access is allowed from the IIS side 
> to the Tomcat
> connector, and NTLM ("Integrated Windows authentication") is disabled.
> 
> Under access control on the directory security tab for the 
> tomcat virtual
> directory, make sure "Anonymous access" is enabled and 
> "Integrated Windows
> authentication" is disabled.  Otherwise, strange interactions 
> can take place
> between the filter and IIS.  Are you accessing the server 
> from the local box
> (i.e., client and server are the same box)?  This could 
> possibly explain the
> behavior; if IIS is "intercepting" the NTLM messages, it will 
> negotiate local
> authentication with a client on the same box.  The Type 3 
> message in such a
> case will contain zero-length fields for the username, 
> domain, etc. which
> could explain the empty username string you are seeing 
> (incidentally, this
> would also cause the aforementioned error; even with a 
> zero-length password,
> the LM hash should be 24 bytes in a normal scenario).

I am doing most of my testing on the same machine so I have client and
server on the same box. I have also tested on another box and the
popup box prompting for User Name/Password/Domain came up.

I've enabled "Anonymous Access" and disabled "Integraded Windows
Authentication" on the virtual directory containing the ISAPI redirector,
still no luck.

> 2)  Make sure the filter is getting invoked.
> 
> Attached is a test jsp file which you should be able to drop 
> in to your web
> app.  This will give you a few indications as to whether the 
> filter is even
> getting tapped during the request.

The filter is getting invoked according to your test program (see below):

Your username (from request.getRemoteUser()) is "". This should be non-null (and non-empty). 
The classname of your request object is: 
    jcifs.http.NtlmHttpServletRequest
This should be "jcifs.http.NtlmHttpServletRequest". 
NtlmHttpAuth is set in the session. This is good. 

> 3)  Try playing with the "tomcatAuthentication" parameter.
> 
> This controls whether the webserver or Tomcat is 
> authenticating users.  If you
> are using the AJP13 connector, you would do this in 
> server.xml, something like:
> 
> <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
>         tomcatAuthentication="false" port="8009" minProcessors="5"
>         maxProcessors="75" acceptCount="10" debug="0"/>
> 
> The "tomcatAuthentication" is the relevant bit here.  If you 
> are using the
> Coyote JK2 connector, you would edit jk2.properties and add:
> 
> request.tomcatAuthentication="false"
> 
> This is kind of a long shot though; I think this will cause 
> tomcat to use the
> webserver's authentication, which is sort of the opposite of 
> what you are
> going for.  This would normally be an option -- enabling 
> "Integrated Windows
> authentication", disabling "Anonymous access", and removing the filter
> completely.  This would use IIS to do the NTLM authentication 
> instead of
> jCIFS.  However, you indicated previously that you are 
> looking to move away
> from IIS, so this probably wouldn't be applicable in your 
> case.  Of course,
> you could just use jCIFS on your non-IIS boxes, and use the 
> native NTLM
> authentication provided by IIS on those servers.  The only 
> modification needed
> for your web apps is to slip the filter into the web.xml.  
> You probably won't
> see any of these issues on non-IIS servers.

Actually we have to keep IIS in the picture as we have a few 3rd party applications
that do not have a java counterpart. So we're stuck there.

> If all of this fails, a packet trace would probably be needed 
> for some deeper
> digging.

I've included the ISAPI debug log for now. The packet trace I'll try and arrange.
(I noticed that there is actually an error in there. Maybe that can help?)

[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (696)]: HttpFilterProc started
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (759)]: In HttpFilterProc Virtual Host redirection of /eld14287/purejsp/test3.jsp
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (477)]: Attempting to map URI '/eld14287/purejsp/test3.jsp'
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (599)]: jk_uri_worker_map_t::map_uri_to_worker, done without a match
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (765)]: In HttpFilterProc test Default redirection of /purejsp/test3.jsp
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (477)]: Attempting to map URI '/purejsp/test3.jsp'
[Tue Jul 29 09:45:46 2003]  [jk_uri_worker_map.c (502)]: jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 -> /purejsp/
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (775)]: HttpFilterProc [/purejsp/test3.jsp] is a servlet url - should redirect to ajp13
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (838)]: HttpFilterProc check if [/purejsp/test3.jsp] is points to the web-inf directory
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (878)]: HttpExtensionProc started
[Tue Jul 29 09:45:46 2003]  [jk_worker.c (132)]: Into wc_get_worker_for_name ajp13
[Tue Jul 29 09:45:46 2003]  [jk_worker.c (136)]: wc_get_worker_for_name, done  found a worker
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (913)]: HttpExtensionProc got a worker for name ajp13
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1546)]: Into jk_worker_t::get_endpoint
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1590)]: In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = 71 seconds
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1208)]: Into jk_endpoint_t::service
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (295)]: Into ajp_marshal_into_msgb
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (463)]: ajp_marshal_into_msgb - Done
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (693)]: sending to ajp13 #364
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (966)]: ajp_send_request 2: request body to send 0 - request body to resend 0
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (738)]: ERROR: can't receive the response message from tomcat, network problems or tomcat is down. err=-53
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1137)]: Error reading reply from tomcat. Tomcat is down or network problems.
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1290)]: ERROR: Receiving from tomcat failed, recoverable operation. err=0
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1309)]: sending request to tomcat failed in send loop. err=0
[Tue Jul 29 09:45:46 2003]  [jk_connect.c (158)]: Into jk_open_socket
[Tue Jul 29 09:45:46 2003]  [jk_connect.c (165)]: jk_open_socket, try to connect socket = 2236
[Tue Jul 29 09:45:46 2003]  [jk_connect.c (174)]: jk_open_socket, after connect ret = 0
[Tue Jul 29 09:45:46 2003]  [jk_connect.c (183)]: jk_open_socket, set TCP_NODELAY to on
[Tue Jul 29 09:45:46 2003]  [jk_connect.c (200)]: jk_open_socket, return, sd = 2236
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (661)]: In jk_endpoint_t::ajp_connect_to_endpoint, connected sd = 2236
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (693)]: sending to ajp13 #364
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (966)]: ajp_send_request 2: request body to send 0 - request body to resend 0
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (804)]: received from ajp13 #77
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (515)]: ajp_unmarshal_response: status = 200
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (521)]: ajp_unmarshal_response: Number of headers is = 2
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (575)]: ajp_unmarshal_response: Header[0] [Content-Type] = [text/html;charset=ISO-8859-1]
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (575)]: ajp_unmarshal_response: Header[1] [Content-Length] = [382]
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (432)]: Into jk_ws_service_t::start_response
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (804)]: received from ajp13 #386
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (566)]: Into jk_ws_service_t::write
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (804)]: received from ajp13 #2
[Tue Jul 29 09:45:46 2003]  [jk_isapi_plugin.c (925)]: HttpExtensionProc service() returned OK
[Tue Jul 29 09:45:46 2003]  [jk_ajp_common.c (1521)]: Into jk_endpoint_t::done, recycling connection

Sorry about this. I really do apprecaite your help.

I'm fairly new at all this (and it shows) but I hopefully will make up
for lost time and get up to speed shortly.

All the best,
Tony

More information about the jcifs mailing list