The token supplied to the function is invalid

Mar 11, 2011 at 8:38 AM

Hi,
we are using the Servlet Negotiate Security Filter.

we get the Windows login dialog and the following error message in the Tomcat log in our application from time to time

INFO [http-8080-5] (?:?) - GET /DynDokWeb/html/framesetStructure/frameset.jsp, contentlength: 0
INFO [http-8080-5] (?:?) - security package: Negotiate, connection id: 127.0.0.1:2037
INFO [http-8080-5] (?:?) - token buffer: 57 byte(s)
WARN [http-8080-5] (?:?) - error logging in user: Das Token, das der Funktion übergeben wurde, ist ungültig.

The last message means in English "The token supplied to the function is invalid".

Perhaps it is because there is a new session created manually (oldSession.invalidate();pRequest.getSession(true))? As mentioned before the failure occurs not every time a new session is created.

Do you have any idea, what our problem could be and how we can deal with it? Thank you very much.

Coordinator
Mar 11, 2011 at 1:21 PM

I would try a Waffle demo with the same server/user to be sure. Negotiate is a connection-oriented protocol and doesn't care about sessions.

Go through the usual FAQ of troubleshooting negotiate. You get an invalid token error for one of the thousands of reasons why a user cannot be logged in with it.

Mar 15, 2011 at 8:12 AM

We solved the problem by transferring Waffle-attributes ("javax.security.auth.subject" and "waffle.servlet.NegotiateSecurityFilter.PRINCIPAL") to the new session when generating it manually in code. This is not a nice solution, so we would be happy if some day we find the reason for the error. Thank you very much.

Coordinator
Mar 15, 2011 at 12:20 PM
Edited Mar 15, 2011 at 12:20 PM

I am sure it would be helpful for others to get some context and maybe even some code? Why are you dropping and re-creating the session in the first place?

Apr 18, 2011 at 9:44 AM

We provide in our application the opportunity that you can sign off and login again with another user name. Because we hold a lot of user-specific information in one session, we invalidate the old session and create a new one for the new user.

This is how the code looks like whereby we assume the wuffle parameter in the new session:

HttpSession lSession = pRequest.getSession(true);

ArrayList lNegotiateSecurityFilterAttributes = new ArrayList<Object>();

lNegotiateSecurityFilterAttributes.add(lSession.getAttribute("javax.security.auth.subject"));

lNegotiateSecurityFilterAttributes.add(lSession.getAttribute("waffle.servlet.NegotiateSecurityFilter.PRINCIPAL"));

lSession.invalidate();

lSession = pRequest.getSession(true);

lSession.setAttribute("javax.security.auth.subject", lNegotiateSecurityFilterAttributes.get(0));

lSession.setAttribute("waffle.servlet.NegotiateSecurityFilter.PRINCIPAL", lNegotiateSecurityFilterAttributes.get(1));