Alternative solution to fix #59 and possibly #167

Source/JNA/waffle-jna/src/main/java/waffle/servlet/spi/NegotiateSecurityFilterProvider.java

@@ -150,10 +150,7 @@ public IWindowsIdentity doFilter(final HttpServletRequest request, final HttpSer
  Boolean.valueOf(securityContext.isContinue()));
  if (securityContext.isContinue()) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- final String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return null;
  }

Source/JNA/waffle-shiro/src/main/java/waffle/shiro/negotiate/NegotiateAuthenticationFilter.java

@@ -158,7 +158,17 @@ protected boolean onLoginFailure(final AuthenticationToken token, final Authenti
  // negotiate is processing
  final String protocol = this.getAuthzHeaderProtocol(request);
  NegotiateAuthenticationFilter.LOGGER.debug("Negotiation in progress for protocol: {}", protocol);
- this.sendChallengeDuringNegotiate(protocol, response, ((NegotiateToken) token).getOut());
+ try {
+ this.sendChallengeDuringNegotiate(protocol, response, ((NegotiateToken) token).getOut());
+ } catch (IOException e1) {
+ NegotiateAuthenticationFilter.LOGGER.warn("login exception: {}", e1.getMessage());
+
+ // do not send token.out bytes, this was a login failure.
+ this.sendChallengeOnFailure(response);
+
+ this.setFailureAttribute(request, e);
+ return true;
+ }
  return false;
  }
  NegotiateAuthenticationFilter.LOGGER.warn("login exception: {}", e.getMessage());
@@ -297,20 +307,25 @@ boolean isLoginAttempt(final String authzHeader) {
  * outgoing ServletResponse
  * @param out
  * token.out or null
+ * @throws IOException
+ * Signals that an I/O exception has occurred.
  */
- private void sendChallenge(final List<String> protocols, final ServletResponse response, final byte[] out) {
+ private void sendChallenge(final List<String> protocols, final ServletResponse response, final byte[] out)
+ throws IOException {
  final HttpServletResponse httpResponse = WebUtils.toHttp(response);
  this.sendAuthenticateHeader(protocols, out, httpResponse);
- httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  }
 
  /**
  * Send challenge initiate negotiate.
  *
  * @param response
  * the response
+ * @throws IOException
+ * Signals that an I/O exception has occurred.
  */
- void sendChallengeInitiateNegotiate(final ServletResponse response) {
+ void sendChallengeInitiateNegotiate(final ServletResponse response) throws IOException {
  this.sendChallenge(NegotiateAuthenticationFilter.PROTOCOLS, response, null);
  }
 
@@ -323,8 +338,11 @@ void sendChallengeInitiateNegotiate(final ServletResponse response) {
  * the response
  * @param out
  * the out
+ * @throws IOException
+ * Signals that an I/O exception has occurred.
  */
- void sendChallengeDuringNegotiate(final String protocol, final ServletResponse response, final byte[] out) {
+ void sendChallengeDuringNegotiate(final String protocol, final ServletResponse response, final byte[] out)
+ throws IOException {
  final List<String> protocolsList = new ArrayList<>();
  protocolsList.add(protocol);
  this.sendChallenge(protocolsList, response, out);

Source/JNA/waffle-shiro/src/test/java/waffle/shiro/negotiate/MockServletResponse.java

@@ -77,9 +77,4 @@ public void setHeader(final String name, final String value) {
  this.headers.put(name, value);
  }
 
- @Override
- public void setStatus(final int status) {
- this.sc = status;
- }
-
 }

Source/JNA/waffle-shiro/src/test/java/waffle/shiro/negotiate/NegotiateAuthenticationFilterTest.java

@@ -23,6 +23,7 @@
  */
 package waffle.shiro.negotiate;
 
+import java.io.IOException;
 import java.util.Base64;
 import java.util.HashMap;
 
@@ -73,6 +74,9 @@ void testIsLoginAttempt() {
 
  /**
  * Test send challenge during negotiate.
+ *
+ * @throws IOException
+ * Signals that an I/O exception has occurred.
  */
  @Test
  void testSendChallengeDuringNegotiate() {
@@ -89,14 +93,16 @@ void testSendChallengeDuringNegotiate() {
 
  Assertions.assertEquals("keep-alive", this.response.headers.get("Connection"));
 
- Assertions.assertEquals(HttpServletResponse.SC_UNAUTHORIZED, this.response.sc);
- Assertions.assertEquals(0, this.response.errorCode);
+ Assertions.assertEquals(HttpServletResponse.SC_UNAUTHORIZED, this.response.errorCode);
 
  Assertions.assertFalse(this.response.isFlushed);
  }
 
  /**
  * Test send challenge initiate negotiate.
+ *
+ * @throws IOException
+ * Signals that an I/O exception has occurred.
  */
  @Test
  void testSendChallengeInitiateNegotiate() {
@@ -111,8 +117,7 @@ void testSendChallengeInitiateNegotiate() {
 
  Assertions.assertEquals("keep-alive", this.response.headers.get("Connection"));
 
- Assertions.assertEquals(HttpServletResponse.SC_UNAUTHORIZED, this.response.sc);
- Assertions.assertEquals(0, this.response.errorCode);
+ Assertions.assertEquals(HttpServletResponse.SC_UNAUTHORIZED, this.response.errorCode);
 
  Assertions.assertFalse(this.response.isFlushed);
  }
@@ -130,7 +135,6 @@ void testSendChallengeOnFailure() {
 
  Assertions.assertEquals("close", this.response.headers.get("Connection"));
 
- Assertions.assertEquals(0, this.response.sc);
  Assertions.assertEquals(HttpServletResponse.SC_UNAUTHORIZED, this.response.errorCode);
 
  Assertions.assertTrue(this.response.isFlushed);

Source/JNA/waffle-spring-security4/src/main/java/waffle/spring/NegotiateSecurityFilterEntryPoint.java

@@ -66,7 +66,7 @@ public void commence(final HttpServletRequest request, final HttpServletResponse
  throw new ServletException("Missing NegotiateEntryPoint.Provider");
  }
 
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.setHeader("Connection", "keep-alive");
  this.provider.sendUnauthorized(response);
  response.flushBuffer();

Source/JNA/waffle-spring-security5/src/main/java/waffle/spring/NegotiateSecurityFilterEntryPoint.java

@@ -66,7 +66,7 @@ public void commence(final HttpServletRequest request, final HttpServletResponse
  throw new ServletException("Missing NegotiateEntryPoint.Provider");
  }
 
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.setHeader("Connection", "keep-alive");
  this.provider.sendUnauthorized(response);
  response.flushBuffer();

Source/JNA/waffle-tests/src/main/java/waffle/mock/http/SimpleHttpResponse.java

@@ -123,11 +123,6 @@ public void setHeader(final String headerName, final String headerValue) {
  this.headers.put(headerName, current);
  }
 
- @Override
- public void setStatus(final int value) {
- this.status = value;
- }
-
  /**
  * Gets the status string.
  *
@@ -219,9 +214,4 @@ public String getOutputText() {
  return null;
  }
 
- @Override
- public void setContentLength(int len) {
- setHeader("Content-Length", Integer.toString(len));
- }
-
 }

Source/JNA/waffle-tests/src/test/java/waffle/servlet/NegotiateSecurityFilterTests.java

@@ -149,7 +149,7 @@ void testChallengePOST() throws IOException, ServletException {
  this.filter.doFilter(request, response, null);
  Assertions.assertTrue(response.getHeader("WWW-Authenticate").startsWith(securityPackage + " "));
  Assertions.assertEquals("keep-alive", response.getHeader("Connection"));
- Assertions.assertEquals(3, response.getHeaderNamesSize());
+ Assertions.assertEquals(2, response.getHeaderNamesSize());
  Assertions.assertEquals(401, response.getStatus());
  } finally {
  if (clientContext != null) {
@@ -207,26 +207,10 @@ void testNegotiate() throws IOException, ServletException {
  break;
  }
 
- Assertions.assertEquals(401, response.getStatus());
-
- // security package requested is one negotiate continues with
  Assertions.assertTrue(response.getHeader("WWW-Authenticate").startsWith(securityPackage + " "));
-
- // keep-alive, NTLM is a connection-oriented protocol
  Assertions.assertEquals("keep-alive", response.getHeader("Connection"));
-
- // Connection: keep-alive
- // WWW-Authenticate: ...
- // Content-Length: ...
- Assertions.assertEquals(3, response.getHeaderNamesSize());
-
- // response has a body and a content length (.NET clients require this)
- int contentLength = Integer.parseInt(response.getHeader("Content-Length"));
- Assertions.assertTrue(contentLength > 0);
- String content = response.getOutputText();
- Assertions.assertEquals(contentLength, content.length());
-
- // continue token
+ Assertions.assertEquals(2, response.getHeaderNamesSize());
+ Assertions.assertEquals(401, response.getStatus());
  final String continueToken = response.getHeader("WWW-Authenticate")
  .substring(securityPackage.length() + 1);
  final byte[] continueTokenBytes = Base64.getDecoder().decode(continueToken);
@@ -303,7 +287,7 @@ void testChallengeNTLMPOST() throws IOException, ServletException {
  final String[] wwwAuthenticates = response.getHeaderValues("WWW-Authenticate");
  Assertions.assertEquals(1, wwwAuthenticates.length);
  Assertions.assertTrue(wwwAuthenticates[0].startsWith("NTLM "));
- Assertions.assertEquals(3, response.getHeaderNamesSize());
+ Assertions.assertEquals(2, response.getHeaderNamesSize());
  Assertions.assertEquals("keep-alive", response.getHeader("Connection"));
  Assertions.assertEquals(401, response.getStatus());
  }
@@ -332,7 +316,7 @@ void testChallengeNTLMPUT() throws IOException, ServletException {
  final String[] wwwAuthenticates = response.getHeaderValues("WWW-Authenticate");
  Assertions.assertEquals(1, wwwAuthenticates.length);
  Assertions.assertTrue(wwwAuthenticates[0].startsWith("NTLM "));
- Assertions.assertEquals(3, response.getHeaderNamesSize());
+ Assertions.assertEquals(2, response.getHeaderNamesSize());
  Assertions.assertEquals("keep-alive", response.getHeader("Connection"));
  Assertions.assertEquals(401, response.getStatus());
  }

Source/JNA/waffle-tomcat10/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -179,10 +179,7 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat10/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -127,10 +127,7 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue()) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- final String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat10/src/test/java/waffle/apache/catalina/SimpleHttpResponse.java

@@ -128,8 +128,4 @@ public void setHeader(final String headerName, final String headerValue) {
  this.headers.put(headerName, current);
  }
 
- @Override
- public void setStatus(final int value) {
- this.status = value;
- }
 }

Source/JNA/waffle-tomcat7/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -178,10 +178,7 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat7/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -129,10 +129,7 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue()) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- final String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat7/src/test/java/waffle/apache/catalina/SimpleHttpResponse.java

@@ -128,9 +128,4 @@ public void setHeader(final String headerName, final String headerValue) {
  this.headers.put(headerName, current);
  }
 
- @Override
- public void setStatus(final int value) {
- this.status = value;
- }
-
 }

Source/JNA/waffle-tomcat85/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -179,10 +179,7 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat85/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -127,10 +127,7 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue()) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- final String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat85/src/test/java/waffle/apache/catalina/SimpleHttpResponse.java

@@ -128,9 +128,4 @@ public void setHeader(final String headerName, final String headerValue) {
  this.headers.put(headerName, current);
  }
 
- @Override
- public void setStatus(final int value) {
- this.status = value;
- }
-
 }

Source/JNA/waffle-tomcat9/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -179,10 +179,7 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat9/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -127,10 +127,7 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue()) {
  response.setHeader("Connection", "keep-alive");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- final String body = "Unauthorized";
- response.getWriter().write(body);
- response.setContentLength(body.length());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat9/src/test/java/waffle/apache/catalina/SimpleHttpResponse.java

@@ -128,8 +128,4 @@ public void setHeader(final String headerName, final String headerValue) {
  this.headers.put(headerName, current);
  }
 
- @Override
- public void setStatus(final int value) {
- this.status = value;
- }
 }