[jcifs] Concurrency with NTLM and servlets (and static methods?)

Frode E. Moe frode at coretrek.no
Fri Nov 29 22:44:42 EST 2002


Hello!

I'm considering using jCIFS for doing NTLM authentication
in my servlets, and I browsed the source briefly.

I noticed that NtlmServlet calls several static methods in
SmbSession, such as SmbSession.getChallenge() and SmbSession.logon().

Apparently getChallenge() propagates further to create a new
SmbTransport if there are no existing transport matching the connection
details (remote+local address+port).

getChallenge() then continues to call negotiate() on the SmbTransport.

How can this work when several users access the servlet concurrently?
Does an SmbTransport support multiple sessions (with different credentials?)

Even if that works, is this not a race condition (as I understand,
a client first requests the challenge and then afterwards sends the password
hashes in a second request   - disregarding the initial request that only results
in a HTTP 401 auth required message) ?

Consider the following scenario: 

   user1: requests NTLM auth     --->
                                <---   server: sends result of getChallenge()
                               
   user2: requests NTLM auth     --->
                                <---   server: sends result of getChallenge()
                                
Isn't the result of getChallenge() equal both times because the same transport
is used?


and then...
                                                                      
   user1: sends passwords hashes --->
                                <---   server: ???

What happens now? Will the first user authenticate OK since trans.negotiate()
only initiates negotiation once and the second user fail because the session now is logged on?


Is this a problem, and if it is will the solution be to avoid using all
the static "helper" methods and maintain one SmbTransport for each user? 
(I notice it's a thread so it's probably not the best thing to put into a user's
session).


Any comments? Am I seeing problems where there are none? I don't know enough about
the internals of the SMB protocol to be sure of all the interactions between
SmbTransport and SmbSession. 
    

  - Frode
  
  



More information about the jcifs mailing list