Hi!
We're experiencing the following problem. Neon continues to send the
last used SSPI token even if client is already authenticated. This can
cause server to permanently restart the authentication handshake.
Here is the transaction log:
1. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
Server -> Client: HTTP/1.1 401 Authorization Required
2. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
Authorization: NTLM T1
Server -> Client: HTTP/1.1 401 Authorization Required
Authorization: NTLM T2
3. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
Authorization: NTLM T3
Server -> Client: HTTP/1.1 200 OK
###The client is successfully authenticated starting from this point.
4. Client -> Server: PROPFIND /svn/AnyCalc HTTP/1.1
Authorization: NTLM T3
### Oops! The client have accidentally sent the last used NTLM T3
token. This should
### cause server to refuse the request and restart authentication handshake.
Please note that neon provides the more smart behavior for GSSAPI
implementation. The cashed gssapi_token is cleared every time in the
ah_post_send() handler.
We propose the attached patch to clear sspi_token pretty much as in
the GSSAPI. Here is the proposed log message:
[[[
Clear sspi_token buffer after each request.
* src/ne_auth.c (request_sspi): Return NULL if sspi_token is not present.
* src/ne_auth.c (ah_post_send): Clear the buffered sspi_token.
]]]
Thanks in advance!
--
With best regards,
Danil Shopyrin
VisualSVN Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clear-sspi-token.patch
Type: text/x-patch
Size: 971 bytes
Desc: not available
Url : http://lists.manyfish.co.uk/pipermail/neon/attachments/20091121/a7ed8428/attachment.bin