[jcifs] NTLM HTTP Authentication Filter broken with Tomcat 5.0.2?

eglass1 at attbi.com eglass1 at attbi.com
Wed May 28 23:06:22 EST 2003


Marc,

Do you see anything on the HTTP side (i.e., from your browser)?  I was able to 
get Tomcat 5 working, although I had issues different from what you are 
seeing.  From what I experienced, Tomcat was closing the connection when the 
Type-2 message was sent; the client was then giving up and just displaying a 
blank page.  I was able to rectify this by removing the

resp.setContentLength(0);

line from NtlmSsp.java.  Tomcat's behavior seems to be inconsistent with RFC 
2616, which states:

   An HTTP/1.1 server MAY assume that a HTTP/1.1 client intends to
   maintain a persistent connection unless a Connection header including
   the connection-token "close" was sent in the request. If the server
   chooses to close the connection immediately after sending the
   response, it SHOULD send a Connection header including the
   connection-token close.

That is, if Tomcat intends to close the connection, it should send 
the "Connection: close" header with the response; likewise, if we don't set 
the "Connection: close" header, it should keep the connection alive.  Removing
the explicit content length allows the container to use chunked encoding; 
apparently, this triggers Tomcat 5 to keep the connection alive (or rather, 
Tomcat is deciding to close a connection with an explicit content length, and 
this prevents that behavior).

Theoretically, changing this shouldn't cause any adverse behavior.  However, 
IIS does use an explicit content length; we would have to do extensive testing 
to ensure that this doesn't break other clients or containers.  Either approach 
is technically correct with regards to the RFCs; I would be very hesitant to 
vary from the IIS way of doing things, however, given the delicate nature of 
NTLM negotiation.

I don't know if this addresses the issue you are seeing or not.  Mike, is it 
possible that the initiation of the SMB session occurs when the Type-2 
challenge is created?  If so, is it possible that the exception is just the 
thread dying due to the client never coming back to respond to the challenge?  
I'm not that familiar with the low-level SMB stuff, so I'm not sure exactly 
when the transports, etc. are established.  Mike should be able to tell you 
that.

Try commenting out the setContentLength(0) line and see if it starts working; 
in any case, Tomcat's behavior should probably be regarded as a bug.

Eric

> Mike, Eric, All!
> Just to let you know that the situation is the same with jcifs-0.7.7 and
> Tomcat 5 nightly build as of 2003-05-27.
> 
> Regards,
> Marc 



More information about the jcifs mailing list