Works with Firefox and Chrome, intermittently with IE

Aug 23, 2011 at 5:42 PM

I really like the framework but I have been struggling to get it to work with Internet Explorer. It works just fine with Firefox and Chrome. In IE there is an intermittent when posting a form back. In the request header I see Authorize: Negotiate and Content-Length : 0. Sometimes with the form post there is no Authorize: Negotiate and the form data is posted. I know this has to do with the classic IE form post problem described here: http://stackoverflow.com/questions/328281/why-content-length-0-in-post-requests

My server platform is: Windows 8, Tomcat 7,

The application is done using Struts2 and the Struts2-jQuery frameworks.

Coordinator
Aug 24, 2011 at 2:54 AM

Waffle handles NTLM negotiations properly (those 0-len posts). I wrote this article about it a while ago, it might be helpful. The bottom line is that when you have a post like this it should negotiate successfully and things continue as expected. Of course Struts might not be able to handle a multiple-step negotiation, then you're into more issues. I'd focus on getting a failure HTTP trace next. 

Aug 24, 2011 at 6:42 PM

I did some more testing and discovered that the problem only happens when I have automatic logon enabled for the web site in IE. When automatic logon is off and I’m prompted for my user name and password the web site works.

Coordinator
Aug 24, 2011 at 11:51 PM

Yes, if you don't do Negotiate, something else works. But the point of SSO is to never prompt. Get a failing HTTP trace.

Aug 25, 2011 at 3:13 AM

Here are the http headers for the failed session with logging in with automatic logon turned on:

GET /PSC_Admin/errorlogin.jsp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cookie: JSESSIONID=AF84D7C9052DC67BC70DE804F505E943

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=58B7E559AB591E3F19BB97B368AEEF76; Path=/PSC_Admin/; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1183
Date: Wed, 24 Aug 2011 18:50:24 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=58B7E559AB591E3F19BB97B368AEEF76

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html
Content-Length: 132
Date: Wed, 24 Aug 2011 18:50:28 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAF3Txvv0qqDcefwxtUY2zR8U1A9x1mTKHgeWfC4uu50hUOCoj0QEsoHW/E3/RACrbAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=
Cookie: JSESSIONID=58B7E559AB591E3F19BB97B368AEEF76

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
Connection: keep-alive
Content-Type: text/html
Content-Length: 132
Date: Wed, 24 Aug 2011 18:50:28 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=58B7E559AB591E3F19BB97B368AEEF76
Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAAJeyCOIJAAkALwAAAAcABwAoAAAABgGxHQAAAA9SRy02NDEwSU5URVJORVdT

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oYH6MIH3oAMKAQGige8EgexOVExNU1NQAAIAAAASABIAOAAAABWCieJp+yiO+QOBhgAAAAAAAAAAogCiAEoAAAAGAbAdAAAAD0kATgBUAEUAUgBOAEUAVwBTAAIAEgBJAE4AVABFAFIATgBFAFcAUwABAAgATQBPAFMAUwAEAB4ASQBOAFQARQBSAE4ARQBXAFMALgBMAE8AQwBBAEwAAwAoAE0ATwBTAFMALgBJAE4AVABFAFIATgBFAFcAUwAuAEwATwBDAEEATAAFAB4ASQBOAFQARQBSAE4ARQBXAFMALgBMAE8AQwBBAEwABwAIAAzQnLGOYswBAAAAAA==
Connection: keep-alive
Content-Type: text/html
Content-Length: 132
Date: Wed, 24 Aug 2011 18:50:28 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=58B7E559AB591E3F19BB97B368AEEF76
Authorization: Negotiate oYHyMIHvoAMKAQGigdMEgdBOVExNU1NQAAMAAAAYABgAkAAAABgAGACoAAAAEgASAFgAAAAYABgAagAAAA4ADgCCAAAAEAAQAMAAAAAVgojiBgGxHQAAAA/lTy3vSlFGA5rG90LDheHzSQBOAFQARQBSAE4ARQBXAFMAcgBnAG8AbABlAGIAaQBvAHcAcwBrAGkAUgBHAC0ANgA0ADEAMAAoz65FgxCcmwAAAAAAAAAAAAAAAAAAAAAuC+C+rIRaq+Vx/WmdYDMR2ipFtQFNIU7EQaCQQTBCJXG7rid2VC3roxIEEAEAAAD/1sb3GvCS4wAAAAA=

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
Set-Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1; Path=/PSC_Admin/; Secure; HttpOnly
Accept-Ranges: bytes
ETag: W/"161-1314034250431"
Last-Modified: Mon, 22 Aug 2011 17:30:50 GMT
Content-Type: text/html
Content-Length: 161
Date: Wed, 24 Aug 2011 18:50:28 GMT

GET /PSC_Admin/contracts/enterContracts.action HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAF7Txvv0qqDcefwxtUY2zR9vY7RdUzFy5hlXIBtfPYmjLA3JZXOKYYJHEy1DVTHRiQAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 24 Aug 2011 18:50:28 GMT

GET /PSC_Admin/js/formatcurrency.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
If-Modified-Since: Fri, 19 Nov 2010 15:47:42 GMT
If-None-Match: W/"602-1290181662259"
Connection: Keep-Alive
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
ETag: W/"602-1290181662259"
Date: Wed, 24 Aug 2011 18:50:29 GMT

GET /PSC_Admin/struts/js/base/jquery.ui.core.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
If-Modified-Since: Tue, 23 Aug 2011 23:24:50 GMT
Connection: Keep-Alive
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
ETag: W/"1959-1290181661727"
Date: Wed, 24 Aug 2011 18:50:29 GMT

GET /PSC_Admin/css/ajtabstyles.css HTTP/1.1
Accept: text/css
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
If-Modified-Since: Fri, 06 May 2011 17:42:36 GMT
If-None-Match: W/"4203-1304703756645"
Connection: Keep-Alive
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGDTxvv0qqDcefwxtUY2zR+uM0wyQK4QKXPEUBptoYFrlGNY59gOzeRdw6tfJpnbwAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Expires: Thu, 25 Aug 2011 18:50:29 GMT
Date: Wed, 24 Aug 2011 18:50:29 GMT

GET /PSC_Admin/struts/js/base/jquery-1.5.2.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
If-Modified-Since: Tue, 23 Aug 2011 23:24:50 GMT
Connection: Keep-Alive
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGHTxvv0qqDcefwxtUY2zR+ToOGnolk/QdhMcOYePfeF3jiEKbKf5SLBiPGp4RRm2gAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
ETag: W/"4203-1304703756645"
Date: Wed, 24 Aug 2011 18:50:29 GMT

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Expires: Thu, 25 Aug 2011 18:50:30 GMT
Date: Wed, 24 Aug 2011 18:50:29 GMT

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Expires: Thu, 25 Aug 2011 18:50:30 GMT
Date: Wed, 24 Aug 2011 18:50:29 GMT

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Expires: Thu, 25 Aug 2011 18:50:30 GMT
Date: Wed, 24 Aug 2011 18:50:29 GMT

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Expires: Thu, 25 Aug 2011 18:50:30 GMT
Date: Wed, 24 Aug 2011 18:50:29 GMT

POST /PSC_Admin/contracts/searchForContractors.action HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: insite.mysite.org:8443
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1

lstContractorsActionFlag=showq&lstContractorsIndex=0&lstContractorsPageNumber=0&hContractor=2&searchContractorName=

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 24 Aug 2011 18:50:33 GMT

 

Here are the headers with auto logon turned off:


POST /PSC_Admin/contracts/editContractor.action HTTP/1.1
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGXTxvv0qqDcefwxtUY2zR+pighfaWoIw1A+S3UhCmHvAMWjXKSGc3HKEINQ4ybSswAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=
Content-Length: 0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Wed, 24 Aug 2011 18:50:36 GMT

GET /PSC_Admin/errorlogin.jsp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cookie: JSESSIONID=722D92A6095F3E7253BB2D9A723FB3EB

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DCB732E1BD71B36CABEA63A90CA231B6; Path=/PSC_Admin/; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1183
Date: Wed, 24 Aug 2011 18:47:57 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=DCB732E1BD71B36CABEA63A90CA231B6

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html
Content-Length: 132
Date: Wed, 24 Aug 2011 18:48:00 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Cookie: JSESSIONID=DCB732E1BD71B36CABEA63A90CA231B6
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Content-Length: 0

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAVgoniIPvnYdfl8UoAAAAAAAAAAKIAogBKAAAABgGwHQAAAA9JAE4AVABFAFIATgBFAFcAUwACABIASQBOAFQARQBSAE4ARQBXAFMAAQAIAE0ATwBTAFMABAAeAEkATgBUAEUAUgBOAEUAVwBTAC4ATABPAEMAQQBMAAMAKABNAE8AUwBTAC4ASQBOAFQARQBSAE4ARQBXAFMALgBMAE8AQwBBAEwABQAeAEkATgBUAEUAUgBOAEUAVwBTAC4ATABPAEMAQQBMAAcACADmnj9fjmLMAQAAAAA=
Connection: keep-alive
Content-Type: text/html
Content-Length: 132
Date: Wed, 24 Aug 2011 18:48:10 GMT

POST /PSC_Admin/index.html?j_negotiate_check HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://insite.mysite.org:8443/PSC_Admin/errorlogin.jsp
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Cookie: JSESSIONID=DCB732E1BD71B36CABEA63A90CA231B6
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAABIAEgBYAAAAGAAYAGoAAAAOAA4AggAAABAAEADAAAAAFYKI4gYBsR0AAAAP5DL3eSIm7GMPtePw5IFkP0kATgBUAEUAUgBOAEUAVwBTAHIAZwBvAGwAZQBiAGkAbwB3AHMAawBpAFIARwAtADYANAAxADAA4saZa8rEgMQAAAAAAAAAAAAAAAAAAAAAzUZbDJ/3GuOOwcVvDa4o3nabcYfpy9w3AEaK0Q65t9/25l0NCjrhTA==
Content-Length: 0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=573317A19988C0205FFF072E4B0246F4; Path=/PSC_Admin/; Secure; HttpOnly
Accept-Ranges: bytes
ETag: W/"161-1314034250431"
Last-Modified: Mon, 22 Aug 2011 17:30:50 GMT
Content-Type: text/html
Content-Length: 161
Date: Wed, 24 Aug 2011 18:48:10 GMT

GET /PSC_Admin/contracts/enterContracts.action HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cookie: JSESSIONID=573317A19988C0205FFF072E4B0246F4
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 24 Aug 2011 18:48:10 GMT

 

Aug 25, 2011 at 4:18 PM

Here is the log from Tomcat for a failed session. The section at Aug 25, 2011 8:09:22 is for a failed AJAX request.

Aug 25, 2011 8:08:41 AM waffle.apache.MixedAuthenticator startInternal
INFO: [waffle.apache.MixedAuthenticator] started
Aug 25, 2011 8:08:41 AM org.apache.coyote.AbstractProtocolHandler start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Aug 25, 2011 8:08:41 AM org.apache.coyote.AbstractProtocolHandler start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Aug 25, 2011 8:08:41 AM org.apache.coyote.AbstractProtocolHandler start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Aug 25, 2011 8:08:41 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5622 ms
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: POST /PSC_Admin/index.html, contentlength: 0
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: negotiateCheck: true (j_negotiate_check)
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: securityCheck: false (j_negotiate_check)
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization: <none>, ntlm post: false
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization required
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: POST /PSC_Admin/index.html, contentlength: 0
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: negotiateCheck: true (j_negotiate_check)
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: securityCheck: false (j_negotiate_check)
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAD23k+fllkPThpoSIo7VsvzhSEAH9IoBtWbaWyerwj2+wOjoMrogy4TmMKhKD57PYQAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=, ntlm post: false
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator negotiate
FINE: security package: Negotiate, connection id: s66-76-78-82.lubb.tx.sta.suddenlink.net:36480
Aug 25, 2011 8:09:16 AM waffle.apache.MixedAuthenticator negotiate
FINE: token buffer: 161 byte(s)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue required: true
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue token: oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: POST /PSC_Admin/index.html, contentlength: 0
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: negotiateCheck: true (j_negotiate_check)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: securityCheck: false (j_negotiate_check)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAAJeyCOIJAAkALwAAAAcABwAoAAAABgGxHQAAAA9SRy02NDEwSU5URVJORVdT, ntlm post: false
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: security package: Negotiate, connection id: s66-76-78-82.lubb.tx.sta.suddenlink.net:36480
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: token buffer: 69 byte(s)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue required: true
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue token: oYH6MIH3oAMKAQGige8EgexOVExNU1NQAAIAAAASABIAOAAAABWCieJIRhfrA7/hFQAAAAAAAAAAogCiAEoAAAAGAbAdAAAAD0kATgBUAEUAUgBOAEUAVwBTAAIAEgBJAE4AVABFAFIATgBFAFcAUwABAAgATQBPAFMAUwAEAB4ASQBOAFQARQBSAE4ARQBXAFMALgBMAE8AQwBBAEwAAwAoAE0ATwBTAFMALgBJAE4AVABFAFIATgBFAFcAUwAuAEwATwBDAEEATAAFAB4ASQBOAFQARQBSAE4ARQBXAFMALgBMAE8AQwBBAEwABwAIACodS/U4Y8wBAAAAAA==
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: POST /PSC_Admin/index.html, contentlength: 0
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: negotiateCheck: true (j_negotiate_check)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: securityCheck: false (j_negotiate_check)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization: Negotiate oYHyMIHvoAMKAQGigdMEgdBOVExNU1NQAAMAAAAYABgAkAAAABgAGACoAAAAEgASAFgAAAAYABgAagAAAA4ADgCCAAAAEAAQAMAAAAAVgojiBgGxHQAAAA/6C3KPULlqXHERXqP6CBvfSQBOAFQARQBSAE4ARQBXAFMAcgBnAG8AbABlAGIAaQBvAHcAcwBrAGkAUgBHAC0ANgA0ADEAMABASlK26yw5IAAAAAAAAAAAAAAAAAAAAAAagU1rg8jE1PnA5h4IvUu4+dwmYBJ3BUQTSFD/eKDvASUgvubtoTQwoxIEEAEAAAAkbJ0IRdP/MAAAAAA=, ntlm post: false
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: security package: Negotiate, connection id: s66-76-78-82.lubb.tx.sta.suddenlink.net:36480
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: token buffer: 245 byte(s)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue required: false
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: continue token: oRswGaADCgEAoxIEEAEAAACcOmtxW/WrYQAAAAA=
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: logged in user: mysite\rgolebiowski (S-1-5-21-2648136206-503800928-2667956425-3036)
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: roles: BUILTIN\Users, Everyone, mysite\Application Administrator, mysite\Arcata-Users, mysite\Domain Users, mysite\FTP-Managers, mysite\ITSystemsAdmin, mysite\PSC Administrator, mysite\QPWD_ACCESS, mysite\geeks, mysite\rgolebiowski, Mandatory Label\Medium Mandatory Level, NT AUTHORITY\Authenticated Users, NT AUTHORITY\NETWORK, NT AUTHORITY\NTLM Authentication, NT AUTHORITY\This Organization, S-1-1-0, S-1-16-8192, S-1-5-11, S-1-5-15, S-1-5-2, S-1-5-21-2648136206-503800928-2667956425-2234, S-1-5-21-2648136206-503800928-2667956425-2295, S-1-5-21-2648136206-503800928-2667956425-2323, S-1-5-21-2648136206-503800928-2667956425-2894, S-1-5-21-2648136206-503800928-2667956425-2918, S-1-5-21-2648136206-503800928-2667956425-3147, S-1-5-21-2648136206-503800928-2667956425-3149, S-1-5-21-2648136206-503800928-2667956425-513, S-1-5-32-545, S-1-5-64-10
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
FINE: session id:21F50F504B95D4E5817C5FC045483EDC
Aug 25, 2011 8:09:17 AM waffle.apache.MixedAuthenticator negotiate
INFO: successfully logged in user: mysite\rgolebiowski
Aug 25, 2011 8:09:22 AM waffle.apache.MixedAuthenticator authenticate
FINE: POST /PSC_Admin/contracts/searchForContractors.action, contentlength: 0
Aug 25, 2011 8:09:22 AM waffle.apache.MixedAuthenticator authenticate
FINE: negotiateCheck: false (<none>)
Aug 25, 2011 8:09:22 AM waffle.apache.MixedAuthenticator authenticate
FINE: securityCheck: false (<none>)
Aug 25, 2011 8:09:22 AM waffle.apache.MixedAuthenticator authenticate
FINE: authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAEW3k+fllkPThpoSIo7VsvxmBFgPQqHkacfEqK1UANsY21bTn+9lA2jcINokF9YUuAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=, ntlm post: false
Aug 25, 2011 8:09:22 AM waffle.apache.MixedAuthenticator authenticate
FINE: previously authenticated user: mysite\rgolebiowski

Coordinator
Aug 25, 2011 at 4:23 PM

Backup. What's a "failure" in your app? Do you see an authentication popup? Something else? Here everything looks clean.

Aug 25, 2011 at 7:12 PM

The failure is that after I'm authenticate when posting an action IE thinks it has to authenticate again so the form is not posted so I have something along the lines of the following in the header:

 

POST /PSC_Admin/contracts/editContractor.action HTTP/1.1
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://insite.mysite.org:8443/PSC_Admin/contracts/enterContracts.action
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: insite.mysite.org:8443
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=FA74DF005D4394ACC2FA1728285FFCD1
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGXTxvv0qqDcefwxtUY2zR+pighfaWoIw1A+S3UhCmHvAMWjXKSGc3HKEINQ4ybSswAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=
Content-Length: 0

 

Aug 26, 2011 at 4:20 AM

I have redone how the user enters the web application along the lines of the waffle-mixed sample. On my laptop my web application works the same as the sample application so that when a user connects they are redirected to the login page. On our server the application authenticates the user and if I click logof the aplication just reauthenticates all over again and never gets to the login page. The other odd thing is that the waffle-mixed sample app works correctly on the server.

Coordinator
Aug 30, 2011 at 3:07 AM

That's evidence that I call "anecdotal". Isolate the scenario that works differently and compare the HTTP conversations.

Aug 31, 2011 at 11:03 PM

In the end it seems it was a problem with the pages served up by Struts actions. I was able to fix the problem by moving most of the web pages into a sub-folder and applying the security constraint to the sub-folder only.

Feb 2, 2012 at 9:06 AM

We encountered the same issue. When the Connection times out and IE (8 or 9) reconnects it sends a POST with Content-Length: 0 and the starting token for Authorization (like the POST from rgblkcal above).

See http://stackoverflow.com/questions/328281/why-content-length-0-in-post-requests for explanation of this IE behavior that appears to be a security feature.

We'd expect that the Waffle filter should handle this special case to re-authorize the browser and then we expect IE to send a POST request including the initial content after the authorization is complete.

Our current workaround is to increase the keepAliveTimeout of the Tomcat Connector but we would like to have a better solution because the problem will be visible when the connection drops for some external reason.

Coordinator
Feb 7, 2012 at 9:57 PM

The 0-content-length POST is part of the protocol and Waffle handles it. What doesn't handle it is Struts, the server needs to negotiate on an Ajax POST, but the client doesn't know what to do with a 401.

Feb 8, 2012 at 9:17 AM

Thanks for the feedback!

We don't use Struts, we have a jspx based AJAX application using Prototype on the client side.

This is our HTTP log during the error:

POST /myproduct/sessionalive.jspx;jsessionid=CA8352EB2A8EBE50158A55012519B6E7 HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Referer: http://localhost:8080/myproduct/sso.jspx#1328691736021_0
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=F43DA6D64879847DD2D2B840B23C9980
Authorization: Negotiate YHsGBisGAQUFAqBxMG+gMDAuBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHqI7BDlOVExNU1NQAAEAAACXsgjiBQAFADQAAAAMAAwAKAAAAAYBsR0AAAAPQ0hSSVNUSUFOLVBDQ0FOVE8=

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: de
Content-Length: 4577
Date: Wed, 08 Feb 2012 09:04:14 GMT
Connection: close

Seems to us that instead of the 500 we would expect a 401 as a response from Tomcat and that will start a new negotiation right away like it happens in the initial handshake (that works perfectly).

But after our Tomcat keepAliveTimeout for the connection is expired, we get a 500 on the next 0-content-length POST instead of a 401.

Feb 8, 2012 at 2:31 PM

It seems that we fixed the problem adding the following into the AuthorizationHeader:


    public boolean isNtlmType1PostAuthorizationHeader() {
        if (! _request.getMethod().equals("POST") && ! _request.getMethod().equals("PUT"))
            return false;
       
        if (_request.getContentLength() != 0)
            return false;

        /** checks 0-content-length POST for the Type 2 authentication message **/
        if (_request.getContentLength() == 0 && _request.getMethod().equals("POST")){
            return true;
        }

        return isNtlmType1Message();
    }

 

Coordinator
Feb 10, 2012 at 12:06 PM

Is this something in your code where you're handling HTTP POSTs? Or did you make changes in Waffle?

Feb 15, 2012 at 12:23 PM

I changed the AuthorizationHeader class and replaced in the Waffle-jna.jar.

Locally this solves the problem replying with a 401 and the second POST then contains the data. This works perfectly on your test environment.

On the Customer side tough the waffle.servlet.NegotiateSecurityFilter is not called when the Connection is lost. This must be a problem in our Tomcat configuration (a valve or wrong security contraints).

We are still investigating the issue.

Coordinator
Feb 15, 2012 at 1:12 PM

So what you did is really treat all 0-length messages as NTLM re-authorization headers. A better code would be

if (getSecurityPackage().equals("Negotiate")) 
  return true;

But it's incorrect according to the RFC and a pretty dangerous change. First, clients aren't supposed to re-negotiate Negotiate tickets (this Negotiate is followed by one of those).

With this code you cannot do a POST with 0-length data, which is totally legal, because it will cause you to renegotiate auth every time. So your app that does that will be stuck in an infinite loop. If this was an NTLM Type 1 message, auth would succeed and then send you an NTLM message of a different type, allowing the 0-length POST through.

I'll clone this into a bug, maybe we need to examine those Kerberos tickets too for some special version that behaves like NTLM type 1 :(

Coordinator
Feb 15, 2012 at 1:13 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.