You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Justin <cr...@yahoo.com> on 2013/09/24 19:55:09 UTC

Help with httpclient and SSPI

Hi all,



I'm using Tomcat 7 and Waffle on a Windows server for NTLMv2 SSO Negotiation. Specifying "<role-name>BUILTIN\Administrators</role-name>" allows me to restrict access to individual webapps to only local system administrators, as desired.

https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md


This works great for my web browsers which have built-in support. Now I'm trying to write a Java client application. The documentation I've come across either involves using credentials (not desired) or leveraging SSPI and manually exchanging the 3 messages between server and client.

http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html
http://code.dblock.org/pure-java-waffle

http://larryboymi.blogspot.com/2012/03/in-my-last-post-i-had-successfully-used.html


Are there any better references or examples out there for using SSPI with httpclient? I'd like to avoid Kerberos because it requires: 1) Windows registry change, 2) SPN, 3) login.conf, 4) krb5.ini, 5) user session key, and sometimes 6) keytab. Will httpclient improve support for SSPI or any other means to achieve SSO from Java client applications? Are there other non-commercial solutions (i.e. not Jespa)?



Thanks,
Justin


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Help with httpclient and SSPI

Posted by Justin <cr...@yahoo.com>.




________________________________
 From: Oleg Kalnichevski <ol...@apache.org>
To: Justin <cr...@yahoo.com> 
Cc: "httpclient-users@hc.apache.org" <ht...@hc.apache.org> 
Sent: Wednesday, September 25, 2013 2:54 AM
Subject: Re: Help with httpclient and SSPI
 

On Tue, 2013-09-24 at 10:55 -0700, Justin wrote:
> Hi all,
> 
> 
> 
> I'm using Tomcat 7 and Waffle on a Windows server for NTLMv2 SSO Negotiation. Specifying "<role-name>BUILTIN\Administrators</role-name>" allows me to restrict access to individual webapps to only local system administrators, as desired.
> 
> https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md
> 
> 
> This works great for my web browsers which have built-in support. Now I'm trying to write a Java client application. The documentation I've come across either involves using credentials (not desired) or leveraging SSPI and manually exchanging the 3 messages between server and client.
> 
> http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html
> http://code.dblock.org/pure-java-waffle
> 
> http://larryboymi.blogspot.com/2012/03/in-my-last-post-i-had-successfully-used.html
> 
> 
> Are there any better references or examples out there for using SSPI with httpclient? I'd like to avoid Kerberos because it requires: 1) Windows registry change, 2) SPN, 3) login.conf, 4) krb5.ini, 5) user session key, and sometimes 6) keytab. Will httpclient improve support for SSPI or any other means to achieve SSO from Java client applications? Are there other non-commercial solutions (i.e. not Jespa)?
> 
> 
> 
> Thanks,
> Justin
> 

Justin

I am not sure there is anyone on this list who could help you with
that. 

What you could do though is to try out experimental integrated Windows
authentication, which I believe is based on Waffle. It is still an early
prototype but might be a good starting point for you.

http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient-win/

Oleg



Hi Oleg,

That's what I'm looking for, thanks! Glad to see it is covered.

BTW, I did write a working Java client based off that blog post. Hopefully I will be able to use httpclient in the near future.

Justin

Re: Help with httpclient and SSPI

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Tue, 2013-09-24 at 10:55 -0700, Justin wrote:
> Hi all,
> 
> 
> 
> I'm using Tomcat 7 and Waffle on a Windows server for NTLMv2 SSO Negotiation. Specifying "<role-name>BUILTIN\Administrators</role-name>" allows me to restrict access to individual webapps to only local system administrators, as desired.
> 
> https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md
> 
> 
> This works great for my web browsers which have built-in support. Now I'm trying to write a Java client application. The documentation I've come across either involves using credentials (not desired) or leveraging SSPI and manually exchanging the 3 messages between server and client.
> 
> http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html
> http://code.dblock.org/pure-java-waffle
> 
> http://larryboymi.blogspot.com/2012/03/in-my-last-post-i-had-successfully-used.html
> 
> 
> Are there any better references or examples out there for using SSPI with httpclient? I'd like to avoid Kerberos because it requires: 1) Windows registry change, 2) SPN, 3) login.conf, 4) krb5.ini, 5) user session key, and sometimes 6) keytab. Will httpclient improve support for SSPI or any other means to achieve SSO from Java client applications? Are there other non-commercial solutions (i.e. not Jespa)?
> 
> 
> 
> Thanks,
> Justin
> 

Justin

I am not sure there is anyone on this list who could help you with
that. 

What you could do though is to try out experimental integrated Windows
authentication, which I believe is based on Waffle. It is still an early
prototype but might be a good starting point for you.

http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient-win/

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org