[jcifs] Logon dialog after authentication fails

Blank, Gregory gregory.blank at citigroup.com
Mon Oct 3 17:13:42 GMT 2005


Actually, I found an explanation of this problem on this very mailing list:
http://lists.samba.org/archive/jcifs/2003-May/002188.html

Whether it is a bug in Tomcat or not, changing the order of setStatus() and setContentLength() does the trick.

Lines 208-209 in NtlmHttpFilter, 
from:
resp.setContentLength(0); /* Marcel Feb-15-2005 */
resp.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
to:
resp.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
resp.setContentLength(0); /* Marcel Feb-15-2005 */

Greg

 -----Original Message-----
From: 	Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent:	Friday, September 30, 2005 7:39 PM
To:	Blank, Gregory
Cc:	jcifs at lists.samba.org
Subject:	Re: [jcifs] Logon dialog after authentication fails

On Fri, 30 Sep 2005 17:41:23 -0400
"Blank, Gregory" <gregory.blank at citigroup.com> wrote:

> Hi,
> 
> I am running JCIFs 1.2.4 under Tomcat 5.5 with logonShare option.
> The client is IE 6.0 on a machine which is not a member of the target domain.
> 
> If the IE security option for intranet is set to auto logon, IE sends the local id/password and authentication
> fails as expected.
> 
> What is not expected is that IE displays a blank page instead of giving me a logon dialog.
> Tomcat's access log shows 401, 401 and then 200 with no length.
> 
> Now, when I commented out line 208 in NtlmHttpFilter
> ----->        resp.setContentLength(0); /* Marcel Feb-15-2005 */
> everything started working: IE gets 401 as the 3rd response and shows the logon dialog.
> 
> It looks like Tomcat overrides 401 when response length is 0.  
> 
> So my question is: why was this line (208 in NtlmHttpFilter) put there in the first place?

I think IE expects a bunch of error text in the response for some
reason. Anyway here is the original message:

  http://lists.samba.org/archive/jcifs/2005-February/004738.html

If someone can produce a capture of NTLM HTTP auth w/ IIS failing w/
401 then I'll change this to emulate that and use it as the precedent for
"correct" behavior.

Otherwise I'd rather not ping-pong back and fourth with this.

Mike




More information about the jcifs mailing list