[jcifs] jcifs on J2EE compliant server
Allen, Michael B (RSCH)
Michael_B_Allen at ml.com
Thu Dec 12 12:49:27 EST 2002
> -----Original Message-----
> From: Glass, Eric [SMTP:eric.glass at capitalone.com]
> Sent: Wednesday, December 11, 2002 6:23 AM
> To: 'Allen, Michael B (RSCH)'; Tieu, Kiet L
> Cc: jcifs at lists.samba.org
> Subject: RE: [jcifs] jcifs on J2EE compliant server
>
>
> >
> > > This is fairly interesting... one of the internal Sun One
> > classes is
> > > apparently attempting to cast the
> > NtlmPasswordAuthentication object to
> > > something it does not implement. Since it couldn't
> > conceivably have any
> > > knowledge regarding the internal jCIFS classes, my only
> > guess would be
> > > that it is attempting to serialize the objects in the
> > HttpSession (and
> > > is casting the NtlmPasswordAuthentication object to
> > > java.io.Serializable). This would require more investigation to
> > > confirm, however. If this turns out to be the case,
> > > NtlmPasswordAuthentication could be made to implement Serializable
> > > fairly easily; in fact, you could just add it to the
> > implements class
> > > and recompile the jCIFS classes if you wanted to test this out.
> > >
> > I don't see how this would work. The ansiHash and
> > unicodeHash are
> > specific to a particular SmbTransport. If an
> > NtlmPasswordAuthentication
> > object is marshalled into another/new VM using some
> > form of serialization
> > the hashes will be wrong. Or is this not what the
> > container is trying to do?
> >
> >
> >
>
> That was pure speculation on my part -- servlet containers are required to
> support storage of Serializable objects in the session, but are NOT required
> to support storage of non-serializable objects (although most do, and simply
> throw exceptions upon attempts to actually serialize the session). The
> container is supposed to throw an IllegalArgumentException upon insertion
> into the session of an invalid object (defined by the spec as "objects where
> the container cannot support the mechanism necessary for migration of a
> session storing them"). I was just speculating that the container was
> instead simply casting to Serializable. This is incorrect -- I downloaded
> the Sun One application server (a hefty 97 MB) and did some further
> investigation. One of the app server's internal classes is attempting to
> do:
>
> if (httpservletrequest.getUserPrincipal() != null) {
> WebPrincipal webprincipal = (WebPrincipal)
> httpservletrequest.getUserPrincipal();
> ....
> }
>
> It is essentially trying to cast the principal object (in our case, an
> NtlmPasswordAuthentication) to an internal principal implementation (which
> would work if our filter was not being applied). This will fail when any
> filter is used which applies a request wrapper and overrides
> getUserPrincipal to return a different implementation. This would appear to
> be a bug in the Sun One application server; according to the servlet spec:
>
> "Central to the notion of filtering is the concept of wrapping a request or
> response in
> order that it can override behavior to perform a filtering task. In this
> model, the
> developer not only has the ability to override existing methods on the
> request and
> response objects, but to provide new API suited to a particular filtering
> task to a
> filter or target web resource down the chain. For example, the developer may
> wish to
> extend the response object with higher level output objects that the output
> stream or
> the writer, such as API that allows DOM objects to be written back to the
> client.
>
> In order to support this style of filter the container must support the
> following
> requirement. When a filter invokes the doFilter method on the container's
> filter
> chain implementation, the container must ensure that the request and
> response
> object that it passes to the next entity in the filter chain, or to the
> target web
> resource if the filter was the last in the chain, is the same object that
> was passed
> into the doFilter method by the calling filter."
>
>
> In other terms, when our filter calls:
>
> chain.doFilter(new NtlmHttpServletRequest(req, ntlm), response);
>
> it is the container's responsibility to ensure that the next filter (or
> target resource) in the chain receives the NtlmHttpServletRequest object we
> passed in. It is therefore NOT safe for the application server to assume
> that any specific implementation will be provided.
>
> It IS required that the wrapper class wrap the request provided to the
> doFilter method (this ensures that at the top of the wrapped "stack" the
> container's implementation class is present); therefore, one correct
> approach for the Sun One class would be:
>
>
> while (httpservletrequest instanceof HttpServletRequestWrapper) {
> httpservletrequest = (HttpServletRequest)
> ((HttpServletRequestWrapper) httpservletrequest).getRequest();
> }
> if (httpservletrequest.getUserPrincipal() != null) {
> WebPrincipal webprincipal = (WebPrincipal)
> httpservletrequest.getUserPrincipal();
> ....
> }
>
>
> That is, they need to fully unwrap the request to ensure that they are
> dealing with the base request object.
>
So you make it sound like it is legal to override getUserPrinciple. If so then
it's a bug in their server to assume they will get a WebPrinciple. Sounds like
jCIFS will just not work with the Sun One server period.
More information about the jcifs
mailing list