You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Brett Ryan <br...@gmail.com> on 2014/02/11 04:20:04 UTC
Using basic auth produces warnings about NTLM and NEGOTIATE errors.
If a server supports NTLM and Kerberos authentication, but when setting up the client I only provide basic credentials I get a log for each of the NTLM and NEGOTIATE authentication schemes.
Taking the example from : https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope(null, -1),
new UsernamePasswordCredentials(restUser, restPass));
CloseableHttpClient client = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.build();
Use of the above client will produce the following warnings, though requests succeed fine through basic authentication:
WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication error: Credentials cannot be used for NTLM authentication: org.apache.http.auth.UsernamePasswordCredentials
So I figured after searching through the builder method that I'd supply an auth provider with only basic support:
Lookup<AuthSchemeProvider> authProviders = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.BASIC, new BasicSchemeFactory())
.build();
CloseableHttpClient client = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.setDefaultAuthSchemeRegistry(authProviders)
.build();
But now I get a different warning about the scheme's no longer being enabled.
WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme negotiate not supported
WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme NTLM not supported
How do I simply get rid of these warnings and only get the client to use the basic scheme that I've configured?
Re: Using basic auth produces warnings about NTLM and NEGOTIATE errors.
Posted by Brett Ryan <br...@gmail.com>.
Any other way to prevent it? I've also tried setting
the proxyPreferredAuthSchemes property with no change.
On 12 February 2014 02:44, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Wed, 2014-02-12 at 02:21 +1100, Brett Ryan wrote:
> > Thanks Oleg, I've added this to the client, yet I am still getting the
> same
> > warnings.
> >
> > Lookup<AuthSchemeProvider> authProviders =
> > RegistryBuilder.<AuthSchemeProvider>create()
> > .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> > .build();
> > RequestConfig rc = RequestConfig.custom()
> > .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> > .build();
> > BasicCredentialsProvider credsProvider = new
> BasicCredentialsProvider();
> > credsProvider.setCredentials(AuthScope.ANY, null);
> > client = HttpClients.custom()
> > .setDefaultCredentialsProvider(credsProvider)
> > .setDefaultAuthSchemeRegistry(authProviders)
> > .setDefaultRequestConfig(rc)
> >
> > .setTargetAuthenticationStrategy(TargetAuthenticationStrategy.INSTANCE)
> > .build();
> >
>
> Can happen if the proxy auth strategy tries to pick up an auth scheme
> from the list of preferred schemes still containing NTLM and SPNEGO.
>
> Oleg
>
> >
> >
> > On 12 February 2014 00:58, Oleg Kalnichevski <ol...@apache.org> wrote:
> >
> > > On Tue, 2014-02-11 at 14:20 +1100, Brett Ryan wrote:
> > > > If a server supports NTLM and Kerberos authentication, but when
> setting
> > > up the client I only provide basic credentials I get a log for each of
> the
> > > NTLM and NEGOTIATE authentication schemes.
> > > >
> > > > Taking the example from :
> > >
> https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
> > > >
> > > > CredentialsProvider credsProvider = new
> BasicCredentialsProvider();
> > > > credsProvider.setCredentials(
> > > > new AuthScope(null, -1),
> > > > new UsernamePasswordCredentials(restUser, restPass));
> > > > CloseableHttpClient client = HttpClients.custom()
> > > > .setDefaultCredentialsProvider(credsProvider)
> > > > .build();
> > > >
> > > > Use of the above client will produce the following warnings, though
> > > requests succeed fine through basic authentication:
> > > >
> > > > WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE
> > > authentication error: Invalid name provided (Mechanism level:
> KrbException:
> > > Cannot locate default realm)
> > > > WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication
> > > error: Credentials cannot be used for NTLM authentication:
> > > org.apache.http.auth.UsernamePasswordCredentials
> > > >
> > > > So I figured after searching through the builder method that I'd
> supply
> > > an auth provider with only basic support:
> > > >
> > > > Lookup<AuthSchemeProvider> authProviders =
> > > RegistryBuilder.<AuthSchemeProvider>create()
> > > > .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> > > > .build();
> > > > CloseableHttpClient client = HttpClients.custom()
> > > > .setDefaultCredentialsProvider(credsProvider)
> > > > .setDefaultAuthSchemeRegistry(authProviders)
> > > > .build();
> > > >
> > > > But now I get a different warning about the scheme's no longer being
> > > enabled.
> > > >
> > > > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication
> scheme
> > > negotiate not supported
> > > > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication
> scheme
> > > NTLM not supported
> > > >
> > > > How do I simply get rid of these warnings and only get the client to
> use
> > > the basic scheme that I've configured?
> > >
> > > ---
> > > RequestConfig config = RequestConfig.custom()
> > > .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> > > .build();
> > > HttpGet get = new HttpGet("/");
> > > get.setConfig(config);
> > > ---
> > >
> > > Hope this helps
> > >
> > > Oleg
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: Using basic auth produces warnings about NTLM and NEGOTIATE
errors.
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2014-02-12 at 02:21 +1100, Brett Ryan wrote:
> Thanks Oleg, I've added this to the client, yet I am still getting the same
> warnings.
>
> Lookup<AuthSchemeProvider> authProviders =
> RegistryBuilder.<AuthSchemeProvider>create()
> .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> .build();
> RequestConfig rc = RequestConfig.custom()
> .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> .build();
> BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
> credsProvider.setCredentials(AuthScope.ANY, null);
> client = HttpClients.custom()
> .setDefaultCredentialsProvider(credsProvider)
> .setDefaultAuthSchemeRegistry(authProviders)
> .setDefaultRequestConfig(rc)
>
> .setTargetAuthenticationStrategy(TargetAuthenticationStrategy.INSTANCE)
> .build();
>
Can happen if the proxy auth strategy tries to pick up an auth scheme
from the list of preferred schemes still containing NTLM and SPNEGO.
Oleg
>
>
> On 12 February 2014 00:58, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> > On Tue, 2014-02-11 at 14:20 +1100, Brett Ryan wrote:
> > > If a server supports NTLM and Kerberos authentication, but when setting
> > up the client I only provide basic credentials I get a log for each of the
> > NTLM and NEGOTIATE authentication schemes.
> > >
> > > Taking the example from :
> > https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
> > >
> > > CredentialsProvider credsProvider = new BasicCredentialsProvider();
> > > credsProvider.setCredentials(
> > > new AuthScope(null, -1),
> > > new UsernamePasswordCredentials(restUser, restPass));
> > > CloseableHttpClient client = HttpClients.custom()
> > > .setDefaultCredentialsProvider(credsProvider)
> > > .build();
> > >
> > > Use of the above client will produce the following warnings, though
> > requests succeed fine through basic authentication:
> > >
> > > WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE
> > authentication error: Invalid name provided (Mechanism level: KrbException:
> > Cannot locate default realm)
> > > WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication
> > error: Credentials cannot be used for NTLM authentication:
> > org.apache.http.auth.UsernamePasswordCredentials
> > >
> > > So I figured after searching through the builder method that I'd supply
> > an auth provider with only basic support:
> > >
> > > Lookup<AuthSchemeProvider> authProviders =
> > RegistryBuilder.<AuthSchemeProvider>create()
> > > .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> > > .build();
> > > CloseableHttpClient client = HttpClients.custom()
> > > .setDefaultCredentialsProvider(credsProvider)
> > > .setDefaultAuthSchemeRegistry(authProviders)
> > > .build();
> > >
> > > But now I get a different warning about the scheme's no longer being
> > enabled.
> > >
> > > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> > negotiate not supported
> > > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> > NTLM not supported
> > >
> > > How do I simply get rid of these warnings and only get the client to use
> > the basic scheme that I've configured?
> >
> > ---
> > RequestConfig config = RequestConfig.custom()
> > .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> > .build();
> > HttpGet get = new HttpGet("/");
> > get.setConfig(config);
> > ---
> >
> > Hope this helps
> >
> > Oleg
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Using basic auth produces warnings about NTLM and NEGOTIATE errors.
Posted by Brett Ryan <br...@gmail.com>.
Thanks Oleg, I've added this to the client, yet I am still getting the same
warnings.
Lookup<AuthSchemeProvider> authProviders =
RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.BASIC, new BasicSchemeFactory())
.build();
RequestConfig rc = RequestConfig.custom()
.setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
.build();
BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, null);
client = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.setDefaultAuthSchemeRegistry(authProviders)
.setDefaultRequestConfig(rc)
.setTargetAuthenticationStrategy(TargetAuthenticationStrategy.INSTANCE)
.build();
On 12 February 2014 00:58, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2014-02-11 at 14:20 +1100, Brett Ryan wrote:
> > If a server supports NTLM and Kerberos authentication, but when setting
> up the client I only provide basic credentials I get a log for each of the
> NTLM and NEGOTIATE authentication schemes.
> >
> > Taking the example from :
> https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
> >
> > CredentialsProvider credsProvider = new BasicCredentialsProvider();
> > credsProvider.setCredentials(
> > new AuthScope(null, -1),
> > new UsernamePasswordCredentials(restUser, restPass));
> > CloseableHttpClient client = HttpClients.custom()
> > .setDefaultCredentialsProvider(credsProvider)
> > .build();
> >
> > Use of the above client will produce the following warnings, though
> requests succeed fine through basic authentication:
> >
> > WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE
> authentication error: Invalid name provided (Mechanism level: KrbException:
> Cannot locate default realm)
> > WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication
> error: Credentials cannot be used for NTLM authentication:
> org.apache.http.auth.UsernamePasswordCredentials
> >
> > So I figured after searching through the builder method that I'd supply
> an auth provider with only basic support:
> >
> > Lookup<AuthSchemeProvider> authProviders =
> RegistryBuilder.<AuthSchemeProvider>create()
> > .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> > .build();
> > CloseableHttpClient client = HttpClients.custom()
> > .setDefaultCredentialsProvider(credsProvider)
> > .setDefaultAuthSchemeRegistry(authProviders)
> > .build();
> >
> > But now I get a different warning about the scheme's no longer being
> enabled.
> >
> > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> negotiate not supported
> > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> NTLM not supported
> >
> > How do I simply get rid of these warnings and only get the client to use
> the basic scheme that I've configured?
>
> ---
> RequestConfig config = RequestConfig.custom()
> .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> .build();
> HttpGet get = new HttpGet("/");
> get.setConfig(config);
> ---
>
> Hope this helps
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: Using basic auth produces warnings about NTLM and NEGOTIATE errors.
Posted by Gary Gregory <ga...@gmail.com>.
On Tue, Feb 11, 2014 at 9:58 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2014-02-11 at 09:18 -0500, Gary Gregory wrote:
> > On Tue, Feb 11, 2014 at 8:58 AM, Oleg Kalnichevski <ol...@apache.org>
> wrote:
>
> ...
>
> > > ---
> > > RequestConfig config = RequestConfig.custom()
> > > .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> > >
> >
> > Wouldn't an enum be more helpful here?
> >
> > Otherwise, I have to do more digging to find other strings are allowed.
> >
> > Gary
> >
>
> Authentication schemes are pluggable. We cannot limit auth scheme names
> to a fixed set but be could have an overloaded method that accepts enum
> values representing standard schemes. I am not sure it is worth the
> trouble but it is doable.
>
Enums would make the API easier to learn IMO. The String escape hatch can
still be there for custom code.
Gary
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: Using basic auth produces warnings about NTLM and NEGOTIATE
errors.
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2014-02-11 at 09:18 -0500, Gary Gregory wrote:
> On Tue, Feb 11, 2014 at 8:58 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
...
> > ---
> > RequestConfig config = RequestConfig.custom()
> > .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
> >
>
> Wouldn't an enum be more helpful here?
>
> Otherwise, I have to do more digging to find other strings are allowed.
>
> Gary
>
Authentication schemes are pluggable. We cannot limit auth scheme names
to a fixed set but be could have an overloaded method that accepts enum
values representing standard schemes. I am not sure it is worth the
trouble but it is doable.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Using basic auth produces warnings about NTLM and NEGOTIATE errors.
Posted by Gary Gregory <ga...@gmail.com>.
On Tue, Feb 11, 2014 at 8:58 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2014-02-11 at 14:20 +1100, Brett Ryan wrote:
> > If a server supports NTLM and Kerberos authentication, but when setting
> up the client I only provide basic credentials I get a log for each of the
> NTLM and NEGOTIATE authentication schemes.
> >
> > Taking the example from :
> https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
> >
> > CredentialsProvider credsProvider = new BasicCredentialsProvider();
> > credsProvider.setCredentials(
> > new AuthScope(null, -1),
> > new UsernamePasswordCredentials(restUser, restPass));
> > CloseableHttpClient client = HttpClients.custom()
> > .setDefaultCredentialsProvider(credsProvider)
> > .build();
> >
> > Use of the above client will produce the following warnings, though
> requests succeed fine through basic authentication:
> >
> > WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE
> authentication error: Invalid name provided (Mechanism level: KrbException:
> Cannot locate default realm)
> > WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication
> error: Credentials cannot be used for NTLM authentication:
> org.apache.http.auth.UsernamePasswordCredentials
> >
> > So I figured after searching through the builder method that I'd supply
> an auth provider with only basic support:
> >
> > Lookup<AuthSchemeProvider> authProviders =
> RegistryBuilder.<AuthSchemeProvider>create()
> > .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> > .build();
> > CloseableHttpClient client = HttpClients.custom()
> > .setDefaultCredentialsProvider(credsProvider)
> > .setDefaultAuthSchemeRegistry(authProviders)
> > .build();
> >
> > But now I get a different warning about the scheme's no longer being
> enabled.
> >
> > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> negotiate not supported
> > WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme
> NTLM not supported
> >
> > How do I simply get rid of these warnings and only get the client to use
> the basic scheme that I've configured?
>
> ---
> RequestConfig config = RequestConfig.custom()
> .setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
>
Wouldn't an enum be more helpful here?
Otherwise, I have to do more digging to find other strings are allowed.
Gary
> .build();
> HttpGet get = new HttpGet("/");
> get.setConfig(config);
> ---
>
> Hope this helps
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: Using basic auth produces warnings about NTLM and NEGOTIATE
errors.
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2014-02-11 at 14:20 +1100, Brett Ryan wrote:
> If a server supports NTLM and Kerberos authentication, but when setting up the client I only provide basic credentials I get a log for each of the NTLM and NEGOTIATE authentication schemes.
>
> Taking the example from : https://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientAuthentication.java
>
> CredentialsProvider credsProvider = new BasicCredentialsProvider();
> credsProvider.setCredentials(
> new AuthScope(null, -1),
> new UsernamePasswordCredentials(restUser, restPass));
> CloseableHttpClient client = HttpClients.custom()
> .setDefaultCredentialsProvider(credsProvider)
> .build();
>
> Use of the above client will produce the following warnings, though requests succeed fine through basic authentication:
>
> WARN o.a.http.impl.auth.HttpAuthenticator - NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
> WARN o.a.http.impl.auth.HttpAuthenticator - NTLM authentication error: Credentials cannot be used for NTLM authentication: org.apache.http.auth.UsernamePasswordCredentials
>
> So I figured after searching through the builder method that I'd supply an auth provider with only basic support:
>
> Lookup<AuthSchemeProvider> authProviders = RegistryBuilder.<AuthSchemeProvider>create()
> .register(AuthSchemes.BASIC, new BasicSchemeFactory())
> .build();
> CloseableHttpClient client = HttpClients.custom()
> .setDefaultCredentialsProvider(credsProvider)
> .setDefaultAuthSchemeRegistry(authProviders)
> .build();
>
> But now I get a different warning about the scheme's no longer being enabled.
>
> WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme negotiate not supported
> WARN o.a.h.i.c.TargetAuthenticationStrategy - Authentication scheme NTLM not supported
>
> How do I simply get rid of these warnings and only get the client to use the basic scheme that I've configured?
---
RequestConfig config = RequestConfig.custom()
.setTargetPreferredAuthSchemes(Arrays.asList("BASIC"))
.build();
HttpGet get = new HttpGet("/");
get.setConfig(config);
---
Hope this helps
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org