[jcifs] JCIFS Pops up dialog box for Authenticating certain users

Ti Lian Hwang lian_hwang.ti at fairprice.com.sg
Thu Jul 10 02:33:54 GMT 2008

Setting jcifs.smb.client.ssnLimit = 1 

does not work when using jcifs.smb.client.username/password
It does NOT cause a NPE, but "Invalid access to memory location."

Please refer again to


NTLM HTTP Filter has been so popular and solves a great
problem; it would be sad to see it go.

OSS has always been about hacks, CIFS is a hack itself.

-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com]
Sent: Thursday, July 10, 2008 10:23 AM
To: Ti Lian Hwang
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] JCIFS Pops up dialog box for Authenticating certain

On 7/9/08, Ti Lian Hwang <lian_hwang.ti at fairprice.com.sg> wrote:
> Sorry, I gotta keep refering to this ...
> http://lists.samba.org/archive/jcifs/2008-January/007602.html
> which has worked for me ever since.

That's not a "fix" for anything. It just disables reusing transports.
Setting jcifs.smb.client.ssnLimit = 1 would work equally well
(although we recently fixed a bug that caused an NPE when setting that
property to 1). But without transport reuse every authentication has
to build up and tear down a socket which completely obliterates
scalability and that is the greatest strength of the JCIFS NTLM HTTP

The only known issue regarding the filter is the "hiccup bug" where
transports shutdown in the middle of the NTLM exchange thereby
invalidating any in-flight nonces. This is likely to be the issue that
you are seeing. It's just a bad interaction between the stateful
NTLMSSP and stateless HTTP protocols. The proposed fix for this issue
is discussed here:


However this fix will likely never be incorporated. Is is more likely
that the NTLM HTTP Filter in general will be dropped with the release
of JCIFS 2.0 (assuming a 2.0 ever happens) because the Filter has
nothing to do with the CIFS protocol and, more important, the
man-in-the-middle hack the Filter uses will not work with NTLMv2 which
is gaining popularity (and it's at the center of the "hiccup" bug).

I believe that an OSS project can actually do harm to the community
because it can block the development of a proper solution. The JCIFS
NTLM HTTP Filter was an easy solution that was very popular and it
actually worked very well all things considered. But it's a hack, it's
giving JCIFS a bad name and it needs to be put down.

I reconnoiter that by removing the NTLM HTTP Filter from JCIFS the
community will be forced to act to create a proper SSO Filter for Java
Servlet containers. I would be happy to describe how a proper SSO
Filter should operate to anyone who is serious about starting such a


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the jcifs mailing list