Bug 6641

Summary: Download of MS Office docs from protected areas fail with IE
Product: Tomcat 4 Reporter: Martin Hengesbach <martin>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major CC: danrodney, vicentesalvador
Priority: P3    
Version: 4.0.2 Final   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Martin Hengesbach 2002-02-22 10:49:45 UTC 
Hi,

when I try to download files with MS Word (for example: 
https://test.iwka.de/protectedarea/test.doc) from a protected area with a MS IE 
5.5 I get the error "the internet page could not be opened. File not found or 
not reachable". When I try to download it from a non protected area it works. 

I have a special hardware constellation:
I have an application server with tomcat 4.0.2 with the standard HTTP 1.1 
connector. And there is another box wich does hardware SSL encryption.
Because of the SSL encryption I have defined the HTTP Connector like that:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="80" minProcessors="1" maxProcessors="200" redirectPort="443"
scheme="https" acceptCount="20" debug="0" secure="true" proxyPort="443" />

So, now to the courius things:
- With tomcat 4.0.1 it WORKS!
- When I try it without the SSL encryption it works
- With an other browser (mozilla...) it works

I have looked in the lock files, watched the network traffic with a network 
monitor and so on. I see no differences but something happend with tomcat 4.0.2 
so that it didn't work any more. Any ideas?

Martin
Comment 1 Remy Maucherat 2002-02-27 05:05:07 UTC 
Unfortunately, I can't reproduce this bug. So while I'd like to fix it, I can't
do anything without you debugging what in the request / response something might
be different which would cause IE to fail.
Comment 2 Vicente Salvador 2002-02-27 09:41:41 UTC 
I can confirm this bug on W2000- JDK 1.4, So OS should be all
Comment 3 Vincent Royer 2002-02-27 10:03:31 UTC 
I can't download pdf,doc,xls ... file with IE through an HTTPS+BasicAuth 
connexion. 
IE----SSL+Basic Auth------>Apache+mod_jk------------ajp13-------->tomcat4.0.2

I got an error as described in http://support.microsoft.com/default.aspx?
scid=kb;EN-US;q196505. 

This is due to HTTP cache control headers returned by tomcat. When a page is 
downloaded with an authentication, the HTTP server set cache control headers 
(Pragma, Cache-Control, Expires) to avoid proxies to cache the page.In such 
case, this gives something like that :

HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Length: 111219
Date: Tue, 26 Feb 2002 16:20:32 GMT
Pragma: No-cache
Server: Apache Tomcat/4.0.2 (HTTP/1.1 Connector)
Cache-Control: no-cache
Last-Modified: Tue, 26 Feb 2002 16:13:27 GMT
ETag: "111219-1014740007000"
Expires: Thu, 01 Jan 1970 00:00:00 GMT

When the page is downloaded through an HTTPS connexions, those cache control 
headers are not more needed because the document is encrypted ! Through the 
mod_jk connector (even with JkExtractSSL directive), tomcat always set cache 
control headers when Authentication is done. 

I have done some tests with Apache. Cache control headers are not set when 
using SSL and Authentication and I have no problem with IE to 
download .pdf, .doc etc ...
So, there might be something to correct in the Ajp13 connector...

Bye,
Comment 4 Vicente Salvador 2002-02-27 10:56:27 UTC 
Not only an AJP13 connector issue. I've tested this with a "non encrypted"
connection retrieving a Word document from a protected area and it Fails!!!
Comment 5 Vicente Salvador 2002-02-27 11:21:53 UTC 
Hi remy, here are the steps to reproduce the problem:

1. Create a sample Word document and put it on
examples/jsp/security/protected/sample.doc
2. Start catalina and get this document:
http://localhost/jsp/security/protected/sample.doc
3. Authenticate as tomcat
4. The Open-Save dialog appears. Select open and the document opens on word OK.
5. Change URL to http://localhost/jsp/security/protected/sample.xxx
   The error page appears
6. Put again the correct URL:
   http://localhost/jsp/security/protected/sample.doc

Sometimes the IE thows and error and others opens the Form login as Word
document. This is because catalina tries to re-authenticate the document. Here
is the log file that demonstrates this:

127.0.0.1 - - [27/Feb/2002:12:16:28 1000] "GET
/jsp/security/protected/sample.doc HTTP/1.1" 404 675
127.0.0.1 - - [27/Feb/2002:12:16:35 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 302 654
127.0.0.1 - - [27/Feb/2002:12:16:35 1000] "GET
/examples/jsp/security/protected/login.jsp HTTP/1.1" 200 611
127.0.0.1 - - [27/Feb/2002:12:16:40 1000] "POST
/examples/jsp/security/protected/j_security_check HTTP/1.1" 302 654
127.0.0.1 - tomcat [27/Feb/2002:12:16:40 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 19456
127.0.0.1 - - [27/Feb/2002:12:16:43 1000] "OPTIONS
/examples/jsp/security/protected HTTP/1.1" 200 -
127.0.0.1 - - [27/Feb/2002:12:16:43 1000] "GET /_vti_inf.html HTTP/1.1" 404 615
127.0.0.1 - - [27/Feb/2002:12:16:43 1000] "POST /_vti_bin/shtml.exe/_vti_rpc
HTTP/1.1" 404 657
127.0.0.1 - - [27/Feb/2002:12:16:43 1000] "OPTIONS
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 -
127.0.0.1 - tomcat [27/Feb/2002:12:16:51 1000] "GET
/examples/jsp/security/protected/login.jsp HTTP/1.1" 200 611
127.0.0.1 - - [27/Feb/2002:12:16:51 1000] "GET
/jsp/security/protected/sample.doc HTTP/1.1" 404 675
127.0.0.1 - - [27/Feb/2002:12:16:58 1000] "GET
/jsp/security/protected/sample.doc HTTP/1.1" 404 675
127.0.0.1 - tomcat [27/Feb/2002:12:17:03 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 19456
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "OPTIONS
/examples/jsp/security/protected HTTP/1.1" 200 -
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "GET /_vti_inf.html HTTP/1.1" 404 615
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "POST /_vti_bin/shtml.exe/_vti_rpc
HTTP/1.1" 404 657
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "OPTIONS
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 -
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 302 654
127.0.0.1 - - [27/Feb/2002:12:17:05 1000] "GET
/examples/jsp/security/protected/login.jsp HTTP/1.1" 200 611
127.0.0.1 - tomcat [27/Feb/2002:12:17:37 1000] "GET
/examples/jsp/security/protected/tomcat.gif HTTP/1.1" 200 1934
127.0.0.1 - tomcat [27/Feb/2002:12:20:37 1000] "GET
/examples/jsp/security/protected/tomcat.xxx HTTP/1.1" 404 675
127.0.0.1 - tomcat [27/Feb/2002:12:24:50 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 19456
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "OPTIONS
/examples/jsp/security/protected HTTP/1.1" 200 -
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "GET /_vti_inf.html HTTP/1.1" 404 615
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "POST /_vti_bin/shtml.exe/_vti_rpc
HTTP/1.1" 404 657
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "OPTIONS
/examples/jsp/security/protected/sample.doc HTTP/1.1" 200 -
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "GET
/examples/jsp/security/protected/sample.doc HTTP/1.1" 302 654
127.0.0.1 - - [27/Feb/2002:12:24:52 1000] "GET
/examples/jsp/security/protected/login.jsp HTTP/1.1" 200 611
Comment 6 Remy Maucherat 2002-02-27 17:06:49 UTC 
Fine. I'll remove the cache control headers if the connection is secure.
Now if somebody could explain to me how this isn't a IE bug, I would be happy (I
don't see the problem with setting the cache control headers, even if it's not
useful ...).
Comment 7 Remy Maucherat 2002-02-27 17:43:45 UTC 
Fixed in both branches.
Comment 8 Vicente Salvador 2002-02-27 18:50:46 UTC 
Hi again remy,

As you can see in my previous post with test case. This bug is not only for
secure (https) connections also occurs with standard http connections. I'seen
the cvs post  you've made to solve this bug and I'm not sure this will solve the
problem.

The problem is with authenticate contexts not with secure connections!!!. Please
try my sample and verify that it trully works.
Comment 9 Remy Maucherat 2002-02-27 19:02:10 UTC 
Well, it's an IE bug in that case, and it won't be fixed.
Since IE reissues the request, I don't understand why it's not handling it well
the second time.
I assume upgrading to a newer IE version would fix the problem.
Comment 10 Vicente Salvador 2002-02-27 19:28:39 UTC 
But 4.0.1 works fine with IE 5.5 ;-)

and look at the log, it seems like the authenticated context is lost second time
we get the file!!!

I think we should spend a little more time trying to catch this issue, because
IE is very extended browser on the market.
Comment 11 Martin Hengesbach 2002-02-27 19:31:01 UTC 
I have tested it with IE 5.0, IE 5.5 SP2 and IE 6.0 The error was in every 
version. So, it might be an IE error but I can't imagine that MS will correct 
it in the next time... AND, in tomcat 4.0.1 there wasn't the error. So the 
problem originate from the update from tomcat 4.0.1 to 4.0.2.
Comment 12 Remy Maucherat 2002-02-27 19:42:03 UTC 
TC 4.0.1 allowed protected resources to be cached, which is a security problem
(any proxy between the client and the server would cache the resource, and could
serve the resource to another client). TC 4.0.2 doesn't allow protected
resources to be cached.

As for the "it seems like the authenticated context is lost second time we get
the file!!!": if you correctly resubmit the authentication credentials, it will
work. Besides, I don't see anything bad in the logs, except some MS FP junk (GET
/_vti_inf.html HTTP/1.1).

If you have a problem, the workaround is easy: download the file to your HD, and
open it from there, instead of relying on the HTTP redirector IE provides
through its fancy OLE 2 embedding.

Lastly, "So, it might be an IE error but I can't imagine that MS will correct it
in the next time..." is NEVER A GOOD ARGUMENT, esp if it deals with security. If
you're not happy with that policy, you should use another vendor.
Comment 13 Dan Rodney 2002-05-09 19:40:03 UTC 
*** Bug 8923 has been marked as a duplicate of this bug. ***