[jcifs] Version 1.3.1 bug (and fix)

John.Baker at barclayscapital.com John.Baker at barclayscapital.com
Thu Dec 4 15:17:18 GMT 2008


Mike,

Are you saying that for anyone who wishes to use the NtlmHttpFilter,
they should now stick with version 1.2.25 of the product?  Hence, the
product will drop support for this filter because it doesn't reliably
work in 1.3.x ?

I must be confused because that doesn't seem a terribly good way forward
and there's clearly a bug that needs addressing.


John

> -----Original Message-----
> From: Michael B Allen [mailto:ioplex at gmail.com]
> Sent: 03 December 2008 22:32
> To: Baker, John: IT (LDN)
> Subject: Re: [jcifs] Version 1.3.1 bug (and fix)
> 
> No. This will not be changed.
> 
> On Wed, Dec 3, 2008 at 3:53 PM,
> <John.Baker at barclayscapital.com> wrote:
> > Mike,
> >
> > Are there any plans to move the statics - it shouldn't be too 
> > difficult and we can't have the NtlmHttpFilter breaking
> randomly, even
> > if it can be fixed via the command line parameters..
> >
> > Thanks,
> >
> >
> > John
> >
> >> -----Original Message-----
> >> From: Michael B Allen [mailto:ioplex at gmail.com]
> >> Sent: 03 December 2008 18:31
> >> To: Baker, John: IT (LDN)
> >> Cc: jcifs at lists.samba.org
> >> Subject: Re: [jcifs] Version 1.3.1 bug (and fix)
> >>
> >> On Wed, Dec 3, 2008 at 6:44 AM,
> >> <John.Baker at barclayscapital.com> wrote:
> >> > Hi,
> >> >
> >> > I think I've found a bug in version 1.3.1 when using the
> >> NtlmHttpFilter.
> >> > Having configured the system and watched it work, I then
> configured
> >> > logging:
> >> >
> >> >            <init-param>
> >> >                <param-name>jcifs.util.loglevel</param-name>
> >> >                <param-value>4</param-value>
> >> >            </init-param>
> >> >
> >> > Restarted and it failed with this exception:
> >> >
> >> > jcifs.smb.SmbException: NTLMv2 requires extended security 
> >> > (jcifs.smb.client.useExtendedSecurity must be true if 
> >> > jcifs.smb.lmCompatibility >= 3)
> >> >        at
> >> >
> >> 
> jcifs.smb.NtlmPasswordAuthentication.getSigningKey(NtlmPasswordAuthen
> >> t
> >> > ic
> >> > ation.java:473)
> >> >        at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:295)
> >> >        at jcifs.smb.SmbSession.send(SmbSession.java:234)
> >> >        at jcifs.smb.SmbTree.treeConnect(SmbTree.java:161)
> >> >        at jcifs.smb.SmbSession.interrogate(SmbSession.java:83)
> >> >        at
> >> > jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:115)
> >> >        at
> >> jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:157)
> >> >        at
> >> jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)
> >> >        at
> >> > 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Ap
> >> > p
> >> >
> >> > (Be sure to start a new browser window.)
> >> >
> >> > Looking at NtlmPasswordAuthentication:
> >> >
> >> >    private static final int LM_COMPATIBILITY =
> >> >            Config.getInt("jcifs.smb.lmCompatibility", 3);
> >> >
> >> > That is clearly wrong as it sets the compatibility when the
> >> class is
> >> > first created (but I guess, never again).  Hence, when
> the logging
> >> > occurs, the value is set incorrectly and before it's been
> >> reset by the
> >> > NtlmHttpFilter!
> >> >
> >> > Removing 'static' fixes the problem.
> >>
> >> Actually I didn't think you could even set the log.level
> from within
> >> the filter. Ok.
> >>
> >> Setting things when the class is first loaded is not
> "clearly wrong".
> >> On Windows systems lmCompatibility is set in the registry and is 
> >> therefore a global fixed value.
> >>
> >> But clearly it would be better to make some of these properties 
> >> dynamic. Unfortunately the code is simply not organized for this 
> >> property to be dynamic. The Config class is static and
> global so if
> >> one thread sets lmCompatibility to
> >> 3 another thread could come a long and set it to 0 before
> the first
> >> thread tried to use it. There needs to be a Map of properties or 
> >> context containing said map that is passed around
> throughout the API
> >> or perhaps associated with the thread. But that's not
> something that
> >> is going to change in 1.x.
> >>
> >> One thing you could do is to set things on the command like using 
> >> -Djcifs.smb.lmCompatibility=0. Or better still set the properties 
> >> file on the commandline like -Djcifs.properties=jcifs.prp
> so that you
> >> can add and remove properties to that file instead of those 
> >> abominable XML configuration files. At any rate, those commandline 
> >> properties are loaded when the Config class loads so it should be 
> >> sufficient to work around the problem.
> >>
> >> Also note that so far JCIFS 1.3 offers no real benefits over
> >> 1.2 wrt the Filter. The JCIFS NTLM HTTP Filter does not support
> >> NTLMv2 (and can never support NTLMv2) and there are otherwise no 
> >> Filter related fixes in 1.3 releative to 1.2.25 (aside
> from a fix for
> >> something that was broken in 1.3.0).
> >>
> >> Mike
> >>
> >> --
> >> Michael B Allen
> >> PHP Active Directory SPNEGO SSO
> >> http://www.ioplex.com/
> >>
> > _______________________________________________
> >
> > This e-mail may contain information that is confidential,
> privileged or otherwise protected from disclosure. If you are not an 
> intended recipient of this e-mail, do not duplicate or redistribute it

> by any means. Please delete it and any attachments and notify the 
> sender that you have received it in error. Unless specifically 
> indicated, this e-mail is not an offer to buy or sell or a 
> solicitation to buy or sell any securities, investment products or 
> other financial product or service, an official confirmation of any 
> transaction, or an official statement of Barclays. Any views or 
> opinions presented are solely those of the author and do not 
> necessarily represent those of Barclays. This e-mail is subject to 
> terms available at the following link:
> www.barcap.com/emaildisclaimer. By messaging with Barclays you consent

> to the foregoing.  Barclays Capital is the investment banking division

> of Barclays Bank PLC, a company registered in England (number 1026167)

> with its registered office at 1 Churchill Place, London, E14 5HP.  
> This email may relate to or be sent from other members of the Barclays

> Group.
> > _______________________________________________
> >
> 
> 
> 
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
> 
_______________________________________________

This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing.  Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP.  This email may relate to or be sent from other members of the Barclays Group.
_______________________________________________


More information about the jcifs mailing list