You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by anon permutation <an...@hotmail.com> on 2003/12/04 06:16:46 UTC

Make HttpClient pick Basic Auth over NTLM?

Hi,

I am using a proxy server that supports both NTLM and Basic Authentications. 
  How do I make HttpClient use Basic Auth. instead of NTLM?  I am using 
2.0-rc2.  Following is my code:

--------------------------------------------------------------------------------------------------------------------
HttpClient client = new HttpClient();
HttpMethod method = null;

client.getState().setProxyCredentials(null, new 
UsernamePasswordCredentials("user","passwd"));

HostConfiguration hc = client.getHostConfiguration();
hc.setProxy("10.0.0.2", 80);

method = new GetMethod(url);
client.executeMethod(method);
byte[] responseBody = method.getResponseBody();
-----------------------------------------------------------------------------------------------------------------

I am getting this error:
Credentials cannot be used for NTLM authentication


Thanks.

_________________________________________________________________
Browse styles for all ages, from the latest looks to cozy weekend wear at 
MSN Shopping.  And check out the beauty products! http://shopping.msn.com


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

Re: Make HttpClient pick Basic Auth over NTLM?

Posted by Ortwin Glück <or...@nose.ch>.


Roland Weber wrote:

> Hello Eric,
> 
> it's a question of interpretation, isn't it? If we provide an option to 
> prefer
> Basic auth over NTLM, we violate the RFC. If we provide an option to
> *disable* NTLM in certain cases, HttpClient would no longer understand
> it, and has to select Basic following the rules of the RFC :-)
> 
> cheers,
>   Roland

Good point. Also when doing preemptive authentication HttpClient should 
not pick a scheme that it has no credentials for maybe.


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

Re: Make HttpClient pick Basic Auth over NTLM?

Posted by Roland Weber <RO...@de.ibm.com>.

Hello Eric,

it's a question of interpretation, isn't it? If we provide an option to 
prefer
Basic auth over NTLM, we violate the RFC. If we provide an option to
*disable* NTLM in certain cases, HttpClient would no longer understand
it, and has to select Basic following the rules of the RFC :-)

cheers,
  Roland





Eric Johnson <er...@tibco.com>
04.12.2003 15:31
Please respond to "Commons HttpClient Project"
 
        To:     Commons HttpClient Project 
<co...@jakarta.apache.org>
        cc: 
        Subject:        Re: Make HttpClient pick Basic Auth over NTLM?


I'm not sure that HttpClient should do anything different.

According to section 4.6 of RFC 2617, "A user agent MUST choose to use 
the strongest auth- scheme it understands and request credentials from 
the user based upon that challenge."

Since Basic is pretty darn weak, I'd say NTLM wins out every time.  Is 
this a point on which HttpClient should have an option to override the 
RFC mandated behavior?  As somewhat of a fanatic about security, my take 
is that you should be forced to do the right thing, and if you really 
want to, the source is there for you to modify.

-Eric.

anon permutation wrote:

>
> Hi,
>
> I am using a proxy server that supports both NTLM and Basic 
> Authentications.  How do I make HttpClient use Basic Auth. instead of 
> NTLM?  I am using 2.0-rc2.  Following is my code:
>
> 
-------------------------------------------------------------------------------------------------------------------- 

>
> HttpClient client = new HttpClient();
> HttpMethod method = null;
>
> client.getState().setProxyCredentials(null, new 
> UsernamePasswordCredentials("user","passwd"));
>
> HostConfiguration hc = client.getHostConfiguration();
> hc.setProxy("10.0.0.2", 80);
>
> method = new GetMethod(url);
> client.executeMethod(method);
> byte[] responseBody = method.getResponseBody();
> 
----------------------------------------------------------------------------------------------------------------- 

>
>
> I am getting this error:
> Credentials cannot be used for NTLM authentication
>
>
> Thanks.
>
> _________________________________________________________________
> Browse styles for all ages, from the latest looks to cozy weekend wear 
> at MSN Shopping.  And check out the beauty products! 
> http://shopping.msn.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: 
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: 
commons-httpclient-dev-help@jakarta.apache.org

Re: Make HttpClient pick Basic Auth over NTLM?

Posted by Eric Johnson <er...@tibco.com>.

I'm not sure that HttpClient should do anything different.

According to section 4.6 of RFC 2617, "A user agent MUST choose to use 
the strongest auth- scheme it understands and request credentials from 
the user based upon that challenge."

Since Basic is pretty darn weak, I'd say NTLM wins out every time.  Is 
this a point on which HttpClient should have an option to override the 
RFC mandated behavior?  As somewhat of a fanatic about security, my take 
is that you should be forced to do the right thing, and if you really 
want to, the source is there for you to modify.

-Eric.

anon permutation wrote:

>
> Hi,
>
> I am using a proxy server that supports both NTLM and Basic 
> Authentications.  How do I make HttpClient use Basic Auth. instead of 
> NTLM?  I am using 2.0-rc2.  Following is my code:
>
> -------------------------------------------------------------------------------------------------------------------- 
>
> HttpClient client = new HttpClient();
> HttpMethod method = null;
>
> client.getState().setProxyCredentials(null, new 
> UsernamePasswordCredentials("user","passwd"));
>
> HostConfiguration hc = client.getHostConfiguration();
> hc.setProxy("10.0.0.2", 80);
>
> method = new GetMethod(url);
> client.executeMethod(method);
> byte[] responseBody = method.getResponseBody();
> ----------------------------------------------------------------------------------------------------------------- 
>
>
> I am getting this error:
> Credentials cannot be used for NTLM authentication
>
>
> Thanks.
>
> _________________________________________________________________
> Browse styles for all ages, from the latest looks to cozy weekend wear 
> at MSN Shopping.  And check out the beauty products! 
> http://shopping.msn.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

Re: Make HttpClient pick Basic Auth over NTLM?

Posted by Roland Weber <RO...@de.ibm.com>.

Hello,

try client.getState().setAuthenticationPreemptive(true);

I'm not sure whether HTTP Client evaluates this flag for
proxy and target server, or just for the target server. In
the first case, it should have the desired effect.

My guess is that when HTTP Client has the choice
between Basic and NTLM Auth, it picks NTLM. By
enabling preemptive authentication, it has to choose
Basic because that's the only thing for which there
are credentials.

regards,
  Roland






"anon permutation" <an...@hotmail.com>
04.12.2003 06:16
Please respond to "Commons HttpClient Project"
 
        To:     commons-httpclient-dev@jakarta.apache.org
        cc: 
        Subject:        Make HttpClient pick Basic Auth over NTLM?



Hi,

I am using a proxy server that supports both NTLM and Basic 
Authentications. 
  How do I make HttpClient use Basic Auth. instead of NTLM?  I am using 
2.0-rc2.  Following is my code:

--------------------------------------------------------------------------------------------------------------------
HttpClient client = new HttpClient();
HttpMethod method = null;

client.getState().setProxyCredentials(null, new 
UsernamePasswordCredentials("user","passwd"));

HostConfiguration hc = client.getHostConfiguration();
hc.setProxy("10.0.0.2", 80);

method = new GetMethod(url);
client.executeMethod(method);
byte[] responseBody = method.getResponseBody();
-----------------------------------------------------------------------------------------------------------------

I am getting this error:
Credentials cannot be used for NTLM authentication


Thanks.

_________________________________________________________________
Browse styles for all ages, from the latest looks to cozy weekend wear at 
MSN Shopping.  And check out the beauty products! http://shopping.msn.com


---------------------------------------------------------------------
To unsubscribe, e-mail: 
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: 
commons-httpclient-dev-help@jakarta.apache.org