[jcifs] Concurrency with NTLM and servlets (and static methods?)

dircha at bethel.edu dircha at bethel.edu
Sat Nov 30 05:20:10 EST 2002 

> Hello!
> 
> I'm considering using jCIFS for doing NTLM authentication
> in my servlets, and I browsed the source briefly.
> 
> I noticed that NtlmServlet calls several static methods in
> SmbSession, such as SmbSession.getChallenge() and SmbSession.logon().
> 
> Apparently getChallenge() propagates further to create a new
> SmbTransport if there are no existing transport matching the connection
> details (remote+local address+port).
> 
> getChallenge() then continues to call negotiate() on the SmbTransport.
> 
> How can this work when several users access the servlet concurrently?
> Does an SmbTransport support multiple sessions (with different
> credentials?)
> 
> Even if that works, is this not a race condition (as I understand,
> a client first requests the challenge and then afterwards sends the
> password
> hashes in a second request   - disregarding the initial request that only
> results
> in a HTTP 401 auth required message) ?
> 
> Consider the following scenario: 
> 
>    user1: requests NTLM auth     --->
>                                 <---   server: sends result of
> getChallenge()
>                                
>    user2: requests NTLM auth     --->
>                                 <---   server: sends result of
> getChallenge()
>                                 
> Isn't the result of getChallenge() equal both times because the same
> transport
> is used?
> 
> 
> and then...
>                                                                       
>    user1: sends passwords hashes --->
>                                 <---   server: ???
> 
> What happens now? Will the first user authenticate OK since
> trans.negotiate()
> only initiates negotiation once and the second user fail because the session
> now is logged on?
> 
> 
> Is this a problem, and if it is will the solution be to avoid using all
> the static "helper" methods and maintain one SmbTransport for each user? 
> (I notice it's a thread so it's probably not the best thing to put into a
> user's
> session).
> 
> 
> Any comments? Am I seeing problems where there are none? I don't know enough
> about
> the internals of the SMB protocol to be sure of all the interactions
> between
> SmbTransport and SmbSession. 
>     
> 
>   - Frode
>   
>   
> 

I don't know very much about the SMB protocol, and do not at the moment have the
tools setup to investigate if I did, but ocassionally jcifs will stop responding
when attempting to query a host that is not available at the time. I've tried
leaving it go for 30 minutes to see whether it will time out, but it does not.
I'll see if I can't setup an environment to provide you all with a meaningful
description of this problem (as this is probably useless), but I thought it may
be relevant to the discussion of this potential problem.

--Chad Dirks

More information about the jcifs mailing list