ActiveX - PUT request authentication through WAFFLE fails

Jul 7, 2010 at 8:11 AM

Hello we are trying to make a change for our product from JCIFS to WAFFLE, but we have a problem that occurs when using WAFFLE. I hope I can interpret it well. We have a CLIENT-SERVER product. In the moment we use Win 2003 server as both server and client.

The only part where the problems shows up is the document management. It is build on webdav and also through js + activeX. When uploading content there is a PUT call for the server and this call cannot authenticate...

1.scenario Win2003 server - Win2003 client and JCIFS authentication

Here comes the PUT request to the server with and additional information like NTLMSSP_NEGOTIATE and also the content of this message is ZERO (so we don't have any file content).
The server responds accordingly and sends a message 401 (unauthorized) with the information NTLMSSP_CHALLENGE
Then the client responds and sends PUT again but this time with the info NTLMSSP_AUTH and the username, here the content is NOT ZERO, so the message has the file.
When debugging in eclipse it seems like just one try to upload the file, so before we sniffed the communication we didn't have any info why this is happening, we just knew that the content which should be uploaded is zero.

HTTP PUT /appname/webdav/test.docx?params HTTP/1.1, NTLMSSP_NEGOTIATE
User-Agent: __W3_DEFAULT_AGENT\r\n
Host: serveraddr:8080\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Cookie: JSESSIONID=BEA412BD07D6C897F837A1E906BEBDB0\r\n
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
Content-Length: 0

HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE

HTTP PUT /appname/webdav/test.docx?params HTTP/1.1, NTLMSSP_AUTH, User: D208D\durfina
User-Agent: __W3_DEFAULT_AGENT\r\n
Host: serveraddr:8080\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Cookie: JSESSIONID=BEA412BD07D6C897F837A1E906BEBDB0\r\n
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHAAAAA4ADgAiAAAAAoACgBIAAAADgAOAFIAAAAQABAAYAAAAAAAAADAAAAABQIAAgUCzg4AAAAPRAAyADAAOABEAGQAdQByAGYAaQBuAGEARAAyADAAOABTADEANQA0ANLAMTxslleplKPmkJnW1RlHjQYsYsMCziWEwV2lEFwichc9FpWZvUYBAQAAAAAAAOZT3iv
Content-Length: 9851

2.scenario Win2003 server - Win2003 client and WAFFLE authentication

It is like JCIFS but after the message with NTLMSSP_NEGOTIATE, comes just a response from the server with the result of the uploading process (an error) and not a message with NTLMSSP_CHALLENGE. We don't know yet where is the cause of this problem if it is an ACTIVEX problem or a problem of WAFFLE itself.

HTTP PUT /appname/webdav/test.docx?params HTTP/1.1, NTLMSSP_NEGOTIATE
User-Agent: __W3_DEFAULT_AGENT\r\n
Host: serveraddr:8080\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Cookie: JSESSIONID=90E016ACC2BADDA80C0CDD627B00F503\r\n
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
Content-Length: 0

HTTP/1.1 401 Unauthorized (text/html)

and then comes a POST request and this authenticates fine...

3.scenario Win2003 server - Win7 client and WAFFLE authentication

It is not like JCIFS and also not like the previous WAFFLE scenario. In this scenario the authentication happens on the first contact of the client with the server (a GET call) and then it is not necessary again.
So the PUT comes just like it is without any additional authentication info like NTLMSSP_NEGOTIATE. It has just the session.

HTTP PUT /appname/webdav/test.docx?params HTTP/1.1
Content-Length: 9851
User-Agent: __W3_DEFAULT_AGENT\r\n
Host: serveraddr:8080\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Cookie: JSESSIONID=B6B178530F94EC416AE3233F68710926; tu=1d3d08acbd0e282f98f66fe9951cf6bf\r\n

I used wireshark to analyse the communication and have no idea where to find the problem anymore... I just don't really get why it is working on Win7 and not on server 2003. Do you have some idea what could be the cause that there isn't and challenge response?

and also the logs:

INFO   | jvm 1   | 2010/07/06 12:56:41 | 2010-07-06 12:56:41,917: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: previously authenticated Windows user: USRDOM\user

INFO   | jvm 1   | 2010/07/06 12:56:45 | 2010-07-06 12:56:45,293: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: PUT /appname/webdav/skuska.docx, contentlength: 0

INFO   | jvm 1   | 2010/07/06 12:56:45 | 2010-07-06 12:56:45,293: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAABAAAAB7IIogUABQAwAAAACAAIACgAAAAFAs4OAAAAD0QyMDhSMTcxRDIwOEQ=, ntlm post: false

INFO   | jvm 1   | 2010/07/06 12:56:45 | 2010-07-06 12:56:45,293: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: previously authenticated Windows user: USRDOM\user

INFO   | jvm 1   | 2010/07/06 12:56:45 | 2010-07-06 12:56:45,324: [http-8080-1] ERROR: PUT request failure! Reason: CheckFormatFilterImpl: Document content for file: skuska.docx [185335] is not Office 2007 file

INFO   | jvm 1   | 2010/07/06 12:56:45 | 2010-07-06 12:56:45,371: [http-8080-1] INFO: Request (PUT) for 'skuska.docx' lasted for: 78 milliseconds.

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,340: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: POST /appname/Manager.po, contentlength: 0

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,340: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAABAAAAB7IIogUABQAwAAAACAAIACgAAAAFAs4OAAAAD0QyMDhSMTcxRDIwOEQ=, ntlm post: true

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,340: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: security package: NTLM, connection id: 1.20.208.171:2764

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,340: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: token buffer: 53 byte(s)

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,355: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: continue token: TlRMTVNTUAACAAAACgAKADgAAAAFwomiBs/cj0Jqc0JAH28BAAAAAIwAjABCAAAABQLODgAAAA9EADIAMAA4AEQAAgAKAEQAMgAwADgARAABABAARAAyADAAOABSADEANwAxAAQAGABkADIAMAA4AGQALgB0AG8AZwAuAHMAawADACoAZAAyADAAOAByADEANwAxAC4AZAAyADAAOABkAC4AdABvAGcALgBzAGsABQAYAGQAMgAwADgAZAAuAHQAbwBnAC4AcwBrAAAAAAA=

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,371: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: continue required: true

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,371: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: POST /appname/Manager.po, contentlength: 666

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,371: [http-8080-1] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAADAAAAAAAAAEgAAAAAAAAASAAAAAAAAABIAAAAAAAAAEgAAAAAAAAASAAAAAAAAABIAAAABcKIogUCzg4AAAAP, ntlm post: false

INFO   | jvm 1   | 2010/07/06 12:56:47 | 2010-07-06 12:56:47,371: [http-8080-1] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: previously authenticated Windows user: USRDOM\user

 

Coordinator
Jul 7, 2010 at 11:19 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jul 7, 2010 at 11:43 AM

I think it's a non-feature (aka bug) in Waffle. Looks like PUT behaves the same way as POST (which makes sense). It works for you on Windows 7 because it chooses Kerberos and not NTLM. For a long explanation see http://code.dblock.org/ShowPost.aspx?id=104.

Try build 1.3.4882.0. I added code that makes PUT do the same thing as POST for NTLM, but I don't have an application to test. Let me know if it works.

 

 

Jul 7, 2010 at 12:11 PM

I tried it, but the communication between server and client is still the same... POST works but PUT does not.

INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,424: [http-8080-2] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: PUT /appname/webdav/test.docx, contentlength: 0
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,424: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==, ntlm post: false
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,424: [http-8080-2] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: previously authenticated Windows user: USERDMN\user
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,455: [http-8080-2] ERROR: PUT request failure! Reason: CheckFormatFilterImpl: Document content for file: test.docx [219388] is not Office 2007 file
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,470: [http-8080-2] INFO: Language properties file C:/tas-professional-8/multiserver/webapps/appname/properties/app.properties is (re)loaded.
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,470: [http-8080-2] INFO: File refresh period is setup:60000ms.
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,502: [http-8080-2] INFO: Language properties file C:/tas-professional-8/multiserver/webapps/appname/properties/app.properties is (re)loaded.
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,502: [http-8080-2] INFO: File refresh period is setup:60000ms.
INFO   | jvm 1    | 2010/07/07 14:03:19 | 2010-07-07 14:03:19,502: [http-8080-2] INFO: Request (PUT) for 'test.docx' lasted for: 78 milliseconds.
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,236: [http-8080-2] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: POST /appname/Manager.po, contentlength: 0
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,252: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==, ntlm post: true
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,252: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: security package: NTLM, connection id: 1.20.208.154:1972
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,252: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: token buffer: 40 byte(s)
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,267: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: continue token: TlRMTVNTUAACAAAACgAKADgAAAAFgomikXK8BOD8DbAAAAAAAAAAAIwAjABCAAAABQLODgAAAA9EADIAMAA4AEQAAgAKAEQAMgAwADgARAABABAARAAyADAAOABSADEANwAxAAQAGABkADIAMAA4AGQALgB0AG8AZwAuAHMAawADACoAZAAyADAAOAByADEANwAxAC4AZAAyADAAOABkAC4AdABvAGcALgBzAGsABQAYAGQAMgAwADgAZAAuAHQAbwBnAC4AcwBrAAAAAAA=
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,267: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: continue required: true
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,267: [http-8080-2] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: POST /appname/Manager.po, contentlength: 666
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,267: [http-8080-2] NegotiateSecurityFilterProvider, INFO, waffle.servlet.spi.NegotiateSecurityFilterProvider: authorization: NTLM TlRMTVNTUAADAAAAGAAYAHAAAAC8ALwAiAAAAAoACgBIAAAADgAOAFIAAAAQABAAYAAAAAAAAABEAQAABYKIogUCzg4AAAAPRAAyADAAOABEAGQAdQByAGYAaQBuAGEARAAyADAAOABTADEANQA0ANXlra8deEKMtFpApBuIqenXErWCRD0UugHEwbC02IlCN6yRlmzJFdYBAQAAAAAAAGSMymTMHcsB1xK1gkQ9FLoAAAAAAgAKAEQAMgAwADgARAABABAARAAyADAAOABSADEANwAxAAQAGABkADIAMAA4AGQALgB0AG8AZwAuAHMAawADACoAZAAyADAAOAByADEANwAxAC4AZAAyADAAOABkAC4AdABvAGcALgBzAGsABQAYAGQAMgAwADgAZAAuAHQAbwBnAC4AcwBrAAAAAAAAAAAA, ntlm post: false
INFO   | jvm 1    | 2010/07/07 14:03:21 | 2010-07-07 14:03:21,267: [http-8080-2] NegotiateSecurityFilter, INFO, waffle.servlet.NegotiateSecurityFilter: previously authenticated Windows user: USERDMN\user

Coordinator
Jul 7, 2010 at 12:26 PM

Either I didn't build it right or you aren't actually running my newest build. Maybe you need to delete the tomcat/work temporary folder?

Otherwise, can you build/debug waffle?

Put a breakpoint into waffle.util.AuthorizationHeader.isNtlmType1PostAuthorizationHeader. It should return true for a request that's a PUT with a content-length of zero (from the logs above it returns false, ntlm post = false, which is odd, cause the new code is rather straightforward).

	public boolean isNtlmType1PostAuthorizationHeader() {
		if ((_request.getMethod() != "POST") && (_request.getMethod() != "PUT"))
			return false;
		
		if (_request.getContentLength() != 0)
			return false;
		
		return isNtlmType1Message();
	}

Jul 7, 2010 at 1:35 PM

I had to change it to:

public boolean isNtlmType1PostAuthorizationHeader() {
		if ((_request.getMethod() != "POST") && !(_request.getMethod().equals("PUT")))
			return false;
		
		if (_request.getContentLength() != 0)
			return false;
		
		return isNtlmType1Message();
	}

I don't know the reason, but I think the string from _request.getMethod() is somewhat special in the PUT case so the normal comparison doesn't work well... Could you build it like this? I think this would solve the problem. Thank you very much.

 

Coordinator
Jul 7, 2010 at 2:21 PM

Ok. Build 1.3.4884.0. It's my mistake to compare strings with != or ==, this compares references and only works when the value wasn't created with new String(...) or something crazy like that. Let me know if you're still having problems.