You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@jmeter.apache.org by bu...@apache.org on 2020/06/18 15:40:40 UTC
[Bug 64534] New: Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Bug ID: 64534
Summary: Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Product: JMeter
Version: 5.3
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: HTTP
Assignee: issues@jmeter.apache.org
Reporter: belen.vignolo@abstracta.com.uy
Target Milestone: JMETER_5.3.1
Created attachment 37316
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37316&action=edit
Example using java implementation and authorization manager
When using Java implementation of the HttpSampler in a request against a server
that uses NTLM authentication, it automatically tries to log-in using my
Windows credentials. This happens even if I add a HTTP Authorization Manager
with different credentials. According to the documentation, it should be using
the credentials defined in Authorization Manager.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
--- Comment #6 from Belén <be...@abstracta.com.uy> ---
(In reply to Felix Schumacher from comment #5)
> Ok, so as I see it, there are a few problems pointed out by this report:
>
> a) The java client for HTTP Sampler uses - under windows - the NTLM
> Credentials of the user that runs JMeter if NTLM authentication is requested
> by the tested server
> b) The HttpClient implementation allows to answer NTLM requests when BASIC
> mechanism is selected
> c) The documentation refers to mechanism and it is unclear how it relates
> to authentication
>
> For a) I tend to leave it that way, as I believe the old Java client is used
> not that much and it probably behaves badly under Windows, only
>
> For b) should probably be mentioned in the docs, as changing it might break
> existing test plans
>
> For c) enhancements in form of patches or text fragments to docs are always
> welcome :)
I agree with a) and c).
About b) I would like to add that NTLM with HttpClient4 works also with
BASIC_DIGEST and DIGEST mechanism (I'm not sure if these are intended as there
is no NTLM mechanism to select and is not specified which mechanism should be
used).
Also BASIC and BASIC_DIGEST have a different behavior than DIGEST. The former
send the NTLM credentials in every request, while the latter sends the
credentials only in the first request.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Philippe Mouawad <p....@ubik-ingenierie.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |p.mouawad@ubik-ingenierie.c
| |om
Target Milestone|JMETER_5.3.1 |---
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
--- Comment #4 from Belén <be...@abstracta.com.uy> ---
(In reply to Felix Schumacher from comment #3)
>You have stated in the title and in the description, that you are using NTLM.
Yes, I am using NTLM authentication, but the method selected in the HTTP
Authorization Manager is BASIC. This works with the HttpClient so, as BASIC
method is also supposed to work with Java, I assumed NTLM authentication (using
this method) should also work.
> Is there any reason, why you are not using the HttpClient?
No, I am just researching authentication methods with JMeter.
> The wording mechanism and authentication might be misleading in the
> documentation.
I agree that the documentation is misleading and should be fixed.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Belén <be...@abstracta.com.uy> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |UNCONFIRMED
Ever confirmed|1 |0
--- Comment #2 from Belén <be...@abstracta.com.uy> ---
(In reply to Felix Schumacher from comment #1)
> The documentation at
> https://jmeter.apache.org/usermanual/component_reference.
> html#HTTP_Authorization_Manager states, that the Java HTTP client supports
> BASIC authentication, only.
The documentation states that Java HTTP clients supports BASIC mechanism only,
not BASIC authentication only. I am using BASIC mechanism so this should work
with Java implementation.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
--- Comment #7 from Michael Osipov <mi...@apache.org> ---
HttpURLConnection uses a native component to access SSPI for NTLM. The only
thing you could do is to ask the security-dev team to add a system property to
disable this at start time.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #5 from Felix Schumacher <fe...@internetallee.de> ---
Ok, so as I see it, there are a few problems pointed out by this report:
a) The java client for HTTP Sampler uses - under windows - the NTLM
Credentials of the user that runs JMeter if NTLM authentication is requested by
the tested server
b) The HttpClient implementation allows to answer NTLM requests when BASIC
mechanism is selected
c) The documentation refers to mechanism and it is unclear how it relates to
authentication
For a) I tend to leave it that way, as I believe the old Java client is used
not that much and it probably behaves badly under Windows, only
For b) should probably be mentioned in the docs, as changing it might break
existing test plans
For c) enhancements in form of patches or text fragments to docs are always
welcome :)
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
OS| |All
Resolution|--- |INVALID
--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
The documentation at
https://jmeter.apache.org/usermanual/component_reference.html#HTTP_Authorization_Manager
states, that the Java HTTP client supports BASIC authentication, only.
If you want to use NTLM, you should switch to HttpClient.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 64534] Java implementation is using my Windows credentials
instead of Authorization Manager for NTLM.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64534
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |NEEDINFO
--- Comment #3 from Felix Schumacher <fe...@internetallee.de> ---
(In reply to Belén from comment #2)
> (In reply to Felix Schumacher from comment #1)
> > The documentation at
> > https://jmeter.apache.org/usermanual/component_reference.
> > html#HTTP_Authorization_Manager states, that the Java HTTP client supports
> > BASIC authentication, only.
>
> The documentation states that Java HTTP clients supports BASIC mechanism
> only, not BASIC authentication only. I am using BASIC mechanism so this
> should work with Java implementation.
You have stated in the title and in the description, that you are using NTLM.
The wording mechanism and authentication might be misleading in the
documentation. If you want to enhance the documentation, patches are always
welcome.
If you think, that the authentication dialog, that a browser shows (when no
NTLM credential is found), is a BASIC authentication, than be aware, that the
browser converts your credentials to NTLM creds and sends those to the server.
That mechanism is not available in JMeter with the Java client.
Please have a look at the WWW-Authenticate header
(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate) in
the first 401 response. If only NTLM or Negotiation is mentioned, than the Java
client can't be used.
Is there any reason, why you are not using the HttpClient?
--
You are receiving this mail because:
You are the assignee for the bug.