Client & NTLM Authentication

[Matthew Beermann <ma...@nanonation.net>]

I'm trying to figure out how to use NTLM authentication with the Slide client. It seemed straightforward enough at first: use retrieveSessionInstance() to get at the underlying HttpClient, then tell it to use NTLM credentials.

But I've run into a chicken-and-egg problem: you must supply WebdavResource with some sort of URI in order to construct it, and for me that URI will fail (throw a 401 exception) until the correct credentials have been supplied. But, there's no way to get to the underlying HttpClient and set the credentials until after the object has been successfully constructed! How do I get around this?

--Matthew Beermann

Re: Client & NTLM Authentication

[James Mason <ma...@apache.org>]

If you make a class that extends WebdavResource you'll have access to 
the protected constructor that takes an HttpClient. I'm not sure why 
that isn't public, so maybe that's a change that could be made.

-James

Matthew Beermann wrote:

> I'm trying to figure out how to use NTLM authentication with the Slide client. It seemed straightforward enough at first: use retrieveSessionInstance() to get at the underlying HttpClient, then tell it to use NTLM credentials.
> 
> But I've run into a chicken-and-egg problem: you must supply WebdavResource with some sort of URI in order to construct it, and for me that URI will fail (throw a 401 exception) until the correct credentials have been supplied. But, there's no way to get to the underlying HttpClient and set the credentials until after the object has been successfully constructed! How do I get around this?
> 
> --Matthew Beermann

---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org

Re: Client & NTLM Authentication

[Matthew Beermann <ma...@nanonation.net>]

Well, it kinda works. I've noticed at least two problems:

1. In WebdavSession, there's code that says:
if (hostCredentials != null) {

HttpState clientState = client.getState();

clientState.setCredentials(null, httpURL.getHost(),

hostCredentials);

clientState.setAuthenticationPreemptive(true);

}

If I understand the discussion at 
http://jakarta.apache.org/commons/httpclient/authentication.html, this is 
very wrong. Just because I've supplied credentials does NOT necessarily mean 
I want to authenticate preemptively, particularly since that only sends the 
Basic: scheme preemptively. For NTLM, I don't want to bother with Basic at 
all. Furthermore, it makes it impossible to turn it off, since you aren't 
respecting the system settings in HttpState:

wdr.retrieveSessionInstance().getState().setAuthenticationPreemptive(false);
System.out.println(wdr.retrieveSessionInstance().getState().isAuthenticationPreemptive());
==> "true"

2. I've had to avoid using WebdavResource.putMethod(), because it does not 
expose PutMethod.setUseExpectHeader(). From the documentation:
Activates 'Expect: 100-Continue' handshake. The purpose of the 'Expect: 
100-Continue' handshake to allow a client that is sending a request message 
with a request body to determine if the origin server is willing to accept 
the request (based on the request headers) before the client sends the 
request body.

The use of the 'Expect: 100-continue' handshake can result in noticable 
peformance improvement for entity enclosing requests (such as POST and PUT) 
that require the target server's authentication.

'Expect: 100-continue' handshake should be used with caution, as it may 
cause problems with HTTP servers and proxies that do not support HTTP/1.1 
protocol.

...but beyond the performance win, when using with IIS on Microsoft Server 
 >= 2000 the expect-continue handshake is AFAICT mandatory. Otherwise, the 
server throws a 500 error. It would be really, really nice if this option 
were either exposed or simply turned on by default for 
WebdavResource.putMethod; with appropriate support sniffing, of course.

--Matthew Beermann

----- Original Message ----- 
From: "Ingo Brunberg" <ib...@fiz-chemie.de>
To: <sl...@jakarta.apache.org>
Sent: Thursday, August 12, 2004 2:19 AM
Subject: Re: Client & NTLM Authentication


> In WebdavResource there are constructors where you can supply your
> credentials, for example:
> public WebdavResource(String escapedHttpURL, Credentials credentials)
>
> And I have got at least one report that it works.
>
> Ingo
>
>> I'm trying to figure out how to use NTLM authentication with the Slide =
>> client. It seemed straightforward enough at first: use =
>> retrieveSessionInstance() to get at the underlying HttpClient, then tell 
>> =
>> it to use NTLM credentials.
>>
>> But I've run into a chicken-and-egg problem: you must supply =
>> WebdavResource with some sort of URI in order to construct it, and for =
>> me that URI will fail (throw a 401 exception) until the correct =
>> credentials have been supplied. But, there's no way to get to the =
>> underlying HttpClient and set the credentials until after the object has 
>> =
>> been successfully constructed! How do I get around this?
>>
>> --Matthew Beermann
>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org

Re: Client & NTLM Authentication

[Ingo Brunberg <ib...@fiz-chemie.de>]

In WebdavResource there are constructors where you can supply your
credentials, for example:
public WebdavResource(String escapedHttpURL, Credentials credentials)

And I have got at least one report that it works.

Ingo

> I'm trying to figure out how to use NTLM authentication with the Slide =
> client. It seemed straightforward enough at first: use =
> retrieveSessionInstance() to get at the underlying HttpClient, then tell =
> it to use NTLM credentials.
> 
> But I've run into a chicken-and-egg problem: you must supply =
> WebdavResource with some sort of URI in order to construct it, and for =
> me that URI will fail (throw a 401 exception) until the correct =
> credentials have been supplied. But, there's no way to get to the =
> underlying HttpClient and set the credentials until after the object has =
> been successfully constructed! How do I get around this?
> 
> --Matthew Beermann


---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org