[jcifs] JCIFS Pops up dialog box for Authenticating certain users

Michael B Allen ioplex at gmail.com
Thu Jul 10 02:22:47 GMT 2008 

On 7/9/08, Ti Lian Hwang <lian_hwang.ti at fairprice.com.sg> wrote:
>
> Sorry, I gotta keep refering to this ...
>
> http://lists.samba.org/archive/jcifs/2008-January/007602.html
>
> which has worked for me ever since.

That's not a "fix" for anything. It just disables reusing transports.
Setting jcifs.smb.client.ssnLimit = 1 would work equally well
(although we recently fixed a bug that caused an NPE when setting that
property to 1). But without transport reuse every authentication has
to build up and tear down a socket which completely obliterates
scalability and that is the greatest strength of the JCIFS NTLM HTTP
Filter.

The only known issue regarding the filter is the "hiccup bug" where
transports shutdown in the middle of the NTLM exchange thereby
invalidating any in-flight nonces. This is likely to be the issue that
you are seeing. It's just a bad interaction between the stateful
NTLMSSP and stateless HTTP protocols. The proposed fix for this issue
is discussed here:

  http://lists.samba.org/archive/jcifs/2008-June/008019.html

However this fix will likely never be incorporated. Is is more likely
that the NTLM HTTP Filter in general will be dropped with the release
of JCIFS 2.0 (assuming a 2.0 ever happens) because the Filter has
nothing to do with the CIFS protocol and, more important, the
man-in-the-middle hack the Filter uses will not work with NTLMv2 which
is gaining popularity (and it's at the center of the "hiccup" bug).

I believe that an OSS project can actually do harm to the community
because it can block the development of a proper solution. The JCIFS
NTLM HTTP Filter was an easy solution that was very popular and it
actually worked very well all things considered. But it's a hack, it's
giving JCIFS a bad name and it needs to be put down.

I reconnoiter that by removing the NTLM HTTP Filter from JCIFS the
community will be forced to act to create a proper SSO Filter for Java
Servlet containers. I would be happy to describe how a proper SSO
Filter should operate to anyone who is serious about starting such a
project.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list