OPEN - issue SEC-865: Re-Challenge NTLM Clients after Authentication Failure

http://jira.springframework.org/browse/SEC-865. Changed NTLM filter to re-challenge if retryOnAuthFailure is set and the Smb logon call fails. Updated JCIFS version in pom.

ntlm/pom.xml

@@ -19,7 +19,7 @@
         <dependency>
             <groupId>org.samba.jcifs</groupId>
             <artifactId>jcifs</artifactId>
-		    <version>1.2.15</version>
+            <version>1.2.19</version>
         </dependency>
         <dependency>
             <groupId>javax.servlet</groupId>

ntlm/src/main/java/org/springframework/security/ui/ntlm/NtlmProcessingFilter.java

@@ -289,8 +289,9 @@ public class NtlmProcessingFilter extends SpringSecurityFilter implements Initia
 
     /**
      * Sets a flag denoting whether NTLM should retry whenever authentication
-	 * fails.  Retry will only occur on an {@link AuthenticationCredentialsNotFoundException}
-	 * or {@link InsufficientAuthenticationException}.
+     * fails.  Retry will occur if the credentials are rejected by the domain controller or if an
+     * an {@link AuthenticationCredentialsNotFoundException}
+     * or {@link InsufficientAuthenticationException} is thrown.
      *
      * @param retryOnFailure the retry on failure flag value to set.
      */
@@ -412,9 +413,15 @@ public class NtlmProcessingFilter extends SpringSecurityFilter implements Initia
             }
         } catch(SmbAuthException e) {
             logger.error("Credentials " + auth + " were not accepted by the domain controller " + dcAddress);
+
+            if (retryOnAuthFailure) {
+                logger.debug("Restarting NTLM authentication handshake");
+                session.setAttribute(STATE_ATTR, BEGIN);
+                throw new NtlmBeginHandshakeException();
+            }
+
             throw new BadCredentialsException("Bad NTLM credentials");
         } finally {
-			if (loadBalance)
             session.removeAttribute(CHALLENGE_ATTR);
         }
     }