[jcifs] Concurrency with NTLM and servlets (and static methods?)
dircha at bethel.edu
dircha at bethel.edu
Sat Nov 30 05:20:10 EST 2002
> Hello!
>
> I'm considering using jCIFS for doing NTLM authentication
> in my servlets, and I browsed the source briefly.
>
> I noticed that NtlmServlet calls several static methods in
> SmbSession, such as SmbSession.getChallenge() and SmbSession.logon().
>
> Apparently getChallenge() propagates further to create a new
> SmbTransport if there are no existing transport matching the connection
> details (remote+local address+port).
>
> getChallenge() then continues to call negotiate() on the SmbTransport.
>
> How can this work when several users access the servlet concurrently?
> Does an SmbTransport support multiple sessions (with different
> credentials?)
>
> Even if that works, is this not a race condition (as I understand,
> a client first requests the challenge and then afterwards sends the
> password
> hashes in a second request - disregarding the initial request that only
> results
> in a HTTP 401 auth required message) ?
>
> Consider the following scenario:
>
> user1: requests NTLM auth --->
> <--- server: sends result of
> getChallenge()
>
> user2: requests NTLM auth --->
> <--- server: sends result of
> getChallenge()
>
> Isn't the result of getChallenge() equal both times because the same
> transport
> is used?
>
>
> and then...
>
> user1: sends passwords hashes --->
> <--- server: ???
>
> What happens now? Will the first user authenticate OK since
> trans.negotiate()
> only initiates negotiation once and the second user fail because the session
> now is logged on?
>
>
> Is this a problem, and if it is will the solution be to avoid using all
> the static "helper" methods and maintain one SmbTransport for each user?
> (I notice it's a thread so it's probably not the best thing to put into a
> user's
> session).
>
>
> Any comments? Am I seeing problems where there are none? I don't know enough
> about
> the internals of the SMB protocol to be sure of all the interactions
> between
> SmbTransport and SmbSession.
>
>
> - Frode
>
>
>
I don't know very much about the SMB protocol, and do not at the moment have the
tools setup to investigate if I did, but ocassionally jcifs will stop responding
when attempting to query a host that is not available at the time. I've tried
leaving it go for 30 minutes to see whether it will time out, but it does not.
I'll see if I can't setup an environment to provide you all with a meaningful
description of this problem (as this is probably useless), but I thought it may
be relevant to the discussion of this potential problem.
--Chad Dirks
More information about the jcifs
mailing list