Negotiate delivers "404 not found"

Aug 11, 2010 at 1:57 PM
Edited Aug 11, 2010 at 5:13 PM

I'm trying with the mixed mode example and tomcat.

Specifying username and password works fine, but when I try to login with current windows credentials I'm always getting the status 404 not found from the tomcat. The logs don't have any entrys with failures, etc.

Any ideas? Thanks in advance!

Best regards

Michael

 

Coordinator
Aug 12, 2010 at 7:41 AM

Are you saying the sample out of the box isn't working for you? Which version of Tomcat?

What URL do you get a 404 on?

Aug 12, 2010 at 1:25 PM

Tomcat version is 6.0.29.

The URL is "http://localhost:8080/waffle-mixed/index.jsp?j_negotiate_check"

OS is Windows 7 with 64 bit.

Coordinator
Aug 12, 2010 at 6:29 PM

I took a stock 6.0.29 and copied the samples, everything worked.

I bet you're missing an error message and the filter doesn't start. Check all the log files. You're probably missing a JAR in tomcat/lib:

  • jna.jar
  • platform.jar
  • commons-logging-1.1.1.jar
  • waffle-jna.jar
Aug 13, 2010 at 4:42 AM

Do I have to install the spring framework? localhost.log contains:

13.08.2010 06:41:33 org.apache.catalina.core.StandardContext listenerStart
SCHWERWIEGEND: Error configuring application listener of class org.springframework.web.context.ContextLoaderListener
java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
 at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4078)

Coordinator
Aug 13, 2010 at 8:15 AM

Only if you want the Spring sample to work. It's not needed for all other samples like waffle-mixed.

Aug 13, 2010 at 10:53 AM

13.08.2010 12:46:10 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Error listenerStart
13.08.2010 12:46:10 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Context [/waffle-spring-filter] startup failed due to previous errors
13.08.2010 12:46:10 org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor waffle-spring-form.xml
13.08.2010 12:46:10 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Error listenerStart
13.08.2010 12:46:10 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Context [/waffle-spring-form] startup failed due to previous errors
13.08.2010 12:46:10 org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docsThe only errors I found are in catalina.log:

and localhost.log:

13.08.2010 12:46:10 org.apache.catalina.core.StandardContext listenerStart
SCHWERWIEGEND: Error configuring application listener of class org.springframework.web.context.ContextLoaderListener
java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
 at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4078)

and

13.08.2010 12:46:10 org.apache.catalina.core.StandardContext listenerStart
SCHWERWIEGEND: Skipped installing application listeners due to previous error(s)
13.08.2010 12:46:10 org.apache.catalina.core.StandardContext listenerStart
SCHWERWIEGEND: Error configuring application listener of class org.springframework.web.context.ContextLoaderListener
java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)

and

13.08.2010 12:46:10 org.apache.catalina.core.StandardContext listenerStart
SCHWERWIEGEND: Skipped installing application listeners due to previous error(s)
13.08.2010 12:46:10 org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()

Coordinator
Aug 13, 2010 at 12:36 PM

All those errors are from the spring sample, which is not what you're trying to do. If there're no other errors, then the application started just fine - the problem must be on the client side. Can you post a trace from your client? You can use IEHttpHeaders for example.

Aug 14, 2010 at 5:10 AM

Please find the log below.

GET /waffle-mixed/ HTTP/1.1
Accept: */*
Accept-Language: de-DE
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=AFFFCC19ECCA1C1E3211BAFC48DD4A36

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Type: text/html
Content-Length: 617
Date: Sat, 14 Aug 2010 05:07:32 GMT

POST /waffle-mixed/index.jsp?j_negotiate_check HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://localhost:8080/waffle-mixed/
Accept-Language: de-DE
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=AFFFCC19ECCA1C1E3211BAFC48DD4A36

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Transfer-Encoding: chunked
Date: Sat, 14 Aug 2010 05:07:39 GMT

Coordinator
Aug 16, 2010 at 9:07 AM

I get a 401 and not a 404 on that last response, which is the problem. I have a non-modified-fresh version of Tomcat 6.0.29 and the stock 1.3 build of Waffle. I would try to set this up on a different machine just to make sure nobody is crazy here :)

It's clear that the filter is working (loaded and responded - you have WWW-Authenticate headers in the response). But instead of terminating the response with a 401, access denied, it says it can't find index.jsp. I am a little bit at a loss of what's going on here since I can't reproduce any of this. The only next step that I would suggest is to debug the filter. But I keep thinking that the problem is somewhere else.

Aug 16, 2010 at 1:32 PM

Setting "waffle.apache.MixedAuthentification = FINE" delivers:

16.08.2010 15:03:38 waffle.apache.MixedAuthenticator redirectTo
FEIN: redirecting to: /login.jsp
16.08.2010 15:08:18 waffle.apache.MixedAuthenticator authenticate
FEIN: POST /waffle-mixed/index.jsp, contentlength: 0
16.08.2010 15:08:18 waffle.apache.MixedAuthenticator authenticate
FEIN: negotiateCheck: true (j_negotiate_check)
16.08.2010 15:08:18 waffle.apache.MixedAuthenticator authenticate
FEIN: securityCheck: false (j_negotiate_check)
16.08.2010 15:08:18 waffle.apache.MixedAuthenticator authenticate
FEIN: authorization: <none>, ntlm post: false
16.08.2010 15:08:18 waffle.apache.MixedAuthenticator authenticate
FEIN: authorization required

In addition I've tried on my private workstation. Here I'm able to login with username and password, but finally I got the following exception:

INFO: successfully logged in user: HOME-WIN7\michael
16.08.2010 15:27:42 waffle.apache.MixedAuthenticator redirectTo
FEIN: redirecting to: /index.jsp
16.08.2010 15:27:42 org.apache.catalina.connector.CoyoteAdapter service
SCHWERWIEGEND: An exception or error occurred in the container during the request processing
java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
        at org.apache.catalina.connector.Response.sendError(Response.java:1292)
        at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:840)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:545)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
        at java.lang.Thread.run(Thread.java:619)

The situation with logging in with windows credentials is same - 404.

Coordinator
Aug 16, 2010 at 3:30 PM

This just looks like something is also doing (authorization) work at the same time (sends headers, writes stuff, etc.). Do you have anything else configured in the server? Did you try with a default Tomcat distribution?

When Waffle says "authorization required", it sends a 401, this is the code.

_log.debug("authorization required");
sendUnauthorized(response);
return false;

protected void sendUnauthorized(Response response) {
 try {
	response.addHeader("WWW-Authenticate", "Negotiate");
	response.addHeader("WWW-Authenticate", "NTLM");
	response.setHeader("Connection", "close");
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
	response.flushBuffer();		
 } catch (IOException e) {
	throw new RuntimeException(e);
 }
}

Coordinator
Aug 16, 2010 at 3:33 PM

If you don't fix your problem - I will be back at work in NYC in a week. You should spend some time debugging this yourself and if everything fails I'll take a look over a webex.

Coordinator
Aug 23, 2010 at 4:45 PM

If you are still having trouble, drop me a note to dblock at dblock dot org. I'll setup a webex - give me some times when you can do it.

Oct 11, 2010 at 3:08 PM

Hello, have you found a solution yet? I too get the 404 error with the waffle-negotiate sample, running on a plain Tomcat 6.0.29, JDK 1.6u21 on Windows XP.

Here is an excerpt from the catalina.<date>.log:

11.10.2010 16:37:49 org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
11.10.2010 16:37:49 org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
11.10.2010 16:37:50 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
11.10.2010 16:37:50 org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
11.10.2010 16:37:50 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1396 ms
11.10.2010 16:37:50 org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
11.10.2010 16:37:50 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
11.10.2010 16:37:50 org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
11.10.2010 16:37:50 org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
11.10.2010 16:37:51 org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor waffle-negotiate.xml
11.10.2010 16:37:51 waffle.apache.NegotiateAuthenticator <init>
FEIN: [waffle.apache.NegotiateAuthenticator] loaded
11.10.2010 16:37:51 waffle.apache.WaffleAuthenticatorBase setPrincipalFormat
FEIN: principal format: fqn
11.10.2010 16:37:51 waffle.apache.WaffleAuthenticatorBase setRoleFormat
FEIN: role format: both
11.10.2010 16:37:51 waffle.apache.NegotiateAuthenticator start
INFO: [waffle.apache.NegotiateAuthenticator] started
11.10.2010 16:37:51 org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
11.10.2010 16:37:51 org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
11.10.2010 16:37:51 org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
11.10.2010 16:37:51 org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
11.10.2010 16:37:51 org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
11.10.2010 16:37:51 org.apache.catalina.startup.Catalina start
INFO: Server startup in 1229 ms
11.10.2010 16:38:08 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
11.10.2010 16:38:08 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: <none>, ntlm post: false
11.10.2010 16:38:08 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization required
11.10.2010 16:38:12 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
11.10.2010 16:38:12 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: <none>, ntlm post: false
11.10.2010 16:38:12 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization required

 

I have tried different authentication groups in web.xml: "Jeder" (German for "Everyone"), "Administratoren" (as my user is an administrator), "VIRTXP\Administratoren" (the computer's name is VIRTXP) and even "VIRTXP\\Administratoren", thinking the backslash might have to be escaped, but nothing did work.

I'd be grateful for any help,

Oliver

Coordinator
Oct 11, 2010 at 3:16 PM

oschleicher: in your case I think the client is not sending authentication to the server. Take a look at the CHM regarding configuring your browser first. If that doesn't help, start a new thread with client-side trace (try IEHttpHeaders).

Coordinator
Oct 12, 2010 at 11:12 AM

I figured it out. It's really silly. The 1.3 distribution is definining an error page in the waffle-negotiate/WEB-INF/web.xml (and other places).

<error-page>
  <error-code>401</error-code> 
  <location>/401.html</location> 
</error-page>

But the page is missing from the distribution package, so Tomcat is returning 404 (file not found). Place a 401.html into the waffle-negotiate folder or remove this entry to workaround the problem. The 1.4 distribution has this fixed.

Coordinator
Oct 12, 2010 at 11:15 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Oct 12, 2010 at 11:57 AM

The missing file 401.html really was the problem. As soon as the file was there, the sample worked.