[jcifs] JCIFS Pops up dialog box for Authenticating certain users

Asaf Mesika asaf.mesika at gmail.com
Mon Jul 14 07:23:30 GMT 2008 

On Thu, Jul 10, 2008 at 5:22 AM, Michael B Allen <ioplex at gmail.com> wrote:

> On 7/9/08, Ti Lian Hwang <lian_hwang.ti at fairprice.com.sg> wrote:
> >
> > Sorry, I gotta keep refering to this ...
> >
> > http://lists.samba.org/archive/jcifs/2008-January/007602.html
> >
> > which has worked for me ever since.
>
> That's not a "fix" for anything. It just disables reusing transports.
> Setting jcifs.smb.client.ssnLimit = 1 would work equally well
> (although we recently fixed a bug that caused an NPE when setting that
> property to 1). But without transport reuse every authentication has
> to build up and tear down a socket which completely obliterates
> scalability and that is the greatest strength of the JCIFS NTLM HTTP
> Filter.
>
> The only known issue regarding the filter is the "hiccup bug" where
> transports shutdown in the middle of the NTLM exchange thereby
> invalidating any in-flight nonces. This is likely to be the issue that
> you are seeing. It's just a bad interaction between the stateful
> NTLMSSP and stateless HTTP protocols. The proposed fix for this issue
> is discussed here:
>
>  http://lists.samba.org/archive/jcifs/2008-June/008019.html
>
> However this fix will likely never be incorporated. Is is more likely
> that the NTLM HTTP Filter in general will be dropped with the release
> of JCIFS 2.0 (assuming a 2.0 ever happens) because the Filter has
> nothing to do with the CIFS protocol and, more important, the
> man-in-the-middle hack the Filter uses will not work with NTLMv2 which
> is gaining popularity (and it's at the center of the "hiccup" bug).
>
What is "The man-in-middle" hack you are referring to?
Why NTLMv2 will prevent the filter from working?


>
> I believe that an OSS project can actually do harm to the community
> because it can block the development of a proper solution. The JCIFS
> NTLM HTTP Filter was an easy solution that was very popular and it
> actually worked very well all things considered. But it's a hack, it's
> giving JCIFS a bad name and it needs to be put down.
>
> I reconnoiter that by removing the NTLM HTTP Filter from JCIFS the
> community will be forced to act to create a proper SSO Filter for Java
> Servlet containers. I would be happy to describe how a proper SSO
> Filter should operate to anyone who is serious about starting such a
> project.
>
Can you please describe what you're suggesting? What will be the difference
between a "proper" Servlet Filter and the current NTLM HTTP Filter?

Thank you,

Asaf

>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list