WIP: Fix for #59.

Source/JNA/waffle-jna/src/main/java/waffle/servlet/spi/NegotiateSecurityFilterProvider.java

@@ -155,6 +155,9 @@ public IWindowsIdentity doFilter(final HttpServletRequest request, final HttpSer
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
  response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ final String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return null;
  }

Source/JNA/waffle-tests/src/main/java/waffle/mock/http/SimpleHttpResponse.java

@@ -236,4 +236,9 @@ public String getOutputText() {
  }
  return null;
  }
+
+ @Override
+ public void setContentLength(int len) {
+ setHeader("Content-Length", Integer.toString(len));
+ }
 }

Source/JNA/waffle-tests/src/test/java/waffle/servlet/NegotiateSecurityFilterTests.java

@@ -136,7 +136,7 @@ public void testChallengePOST() throws IOException, ServletException {
  this.filter.doFilter(request, response, null);
  Assert.assertTrue(response.getHeader("WWW-Authenticate").startsWith(securityPackage + " "));
  Assert.assertEquals("keep-alive", response.getHeader("Connection"));
- Assert.assertEquals(2, response.getHeaderNamesSize());
+ Assert.assertEquals(3, response.getHeaderNamesSize());
  Assert.assertEquals(401, response.getStatus());
  } finally {
  if (clientContext != null) {
@@ -194,10 +194,26 @@ public void testNegotiate() throws IOException, ServletException {
  break;
  }
 
+ Assert.assertEquals(401, response.getStatus());
+
+ // security package requested is one negotiate continues with
  Assert.assertTrue(response.getHeader("WWW-Authenticate").startsWith(securityPackage + " "));
+
+ // keep-alive, NTLM is a connection-oriented protocol
  Assert.assertEquals("keep-alive", response.getHeader("Connection"));
- Assert.assertEquals(2, response.getHeaderNamesSize());
- Assert.assertEquals(401, response.getStatus());
+
+ // Connection: keep-alive
+ // WWW-Authenticate: ...
+ // Content-Length: ...
+ Assert.assertEquals(3, response.getHeaderNamesSize());
+
+ // response has a body and a content length (.NET clients require this)
+ int contentLength = Integer.parseInt(response.getHeader("Content-Length"));
+ Assert.assertTrue(contentLength > 0);
+ String content = response.getOutputText();
+ Assert.assertEquals(contentLength, content.length());
+
+ // continue token
  final String continueToken = response.getHeader("WWW-Authenticate")
  .substring(securityPackage.length() + 1);
  final byte[] continueTokenBytes = Base64.getDecoder().decode(continueToken);
@@ -273,7 +289,7 @@ public void testChallengeNTLMPOST() throws IOException, ServletException {
  final String[] wwwAuthenticates = response.getHeaderValues("WWW-Authenticate");
  Assert.assertEquals(1, wwwAuthenticates.length);
  Assert.assertTrue(wwwAuthenticates[0].startsWith("NTLM "));
- Assert.assertEquals(2, response.getHeaderNamesSize());
+ Assert.assertEquals(3, response.getHeaderNamesSize());
  Assert.assertEquals("keep-alive", response.getHeader("Connection"));
  Assert.assertEquals(401, response.getStatus());
  }
@@ -302,7 +318,7 @@ public void testChallengeNTLMPUT() throws IOException, ServletException {
  final String[] wwwAuthenticates = response.getHeaderValues("WWW-Authenticate");
  Assert.assertEquals(1, wwwAuthenticates.length);
  Assert.assertTrue(wwwAuthenticates[0].startsWith("NTLM "));
- Assert.assertEquals(2, response.getHeaderNamesSize());
+ Assert.assertEquals(3, response.getHeaderNamesSize());
  Assert.assertEquals("keep-alive", response.getHeader("Connection"));
  Assert.assertEquals(401, response.getStatus());
  }

Source/JNA/waffle-tomcat7/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -176,7 +176,10 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat7/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -129,7 +129,10 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ final String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat8/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -177,7 +177,10 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat8/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -127,7 +127,10 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ final String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat85/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -177,7 +177,10 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat85/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -127,7 +127,10 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ final String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat9/src/main/java/waffle/apache/MixedAuthenticator.java

@@ -1,7 +1,7 @@
 /**
  * Waffle (https://github.com/Waffle/waffle)
  *
- * Copyright (c) 2010-2016 Application Security, Inc.
+ * Copyright (c) 2010-2017 Application Security, Inc.
  *
  * All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse
  * Public License v1.0 which accompanies this distribution, and is available at
@@ -177,7 +177,10 @@ private boolean negotiate(final Request request, final HttpServletResponse respo
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }

Source/JNA/waffle-tomcat9/src/main/java/waffle/apache/NegotiateAuthenticator.java

@@ -1,7 +1,7 @@
 /**
  * Waffle (https://github.com/Waffle/waffle)
  *
- * Copyright (c) 2010-2016 Application Security, Inc.
+ * Copyright (c) 2010-2017 Application Security, Inc.
  *
  * All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse
  * Public License v1.0 which accompanies this distribution, and is available at
@@ -107,7 +107,6 @@ public boolean authenticate(final Request request, final HttpServletResponse res
 
  // log the user in using the token
  IWindowsSecurityContext securityContext;
-
  try {
  securityContext = this.auth.acceptSecurityToken(connectionId, tokenBuffer, securityPackage);
  } catch (final Win32Exception e) {
@@ -128,7 +127,10 @@ public boolean authenticate(final Request request, final HttpServletResponse res
  try {
  if (securityContext.isContinue() || ntlmPost) {
  response.setHeader("Connection", "keep-alive");
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ final String body = "Unauthorized";
+ response.getWriter().write(body);
+ response.setContentLength(body.length());
  response.flushBuffer();
  return false;
  }