You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by John Jamison <jl...@gmail.com> on 2008/03/05 23:03:48 UTC
ntlm proxy authentication question
I was ohh so close - I am attempting to code a simple app that
performs NTLM proxy authentication against a proxy server that
supports NTLM and basic authentication.
It took me some time to determine the correct value for the Domain
field in the NTCredentials instance, but decoding the NTLM message 2
structure gave it to me (its the NT domain name).
Now though it seems I still always get 407 responses.
Here's the code:
System.setProperty("org.apache.commons.logging.Log",
"org.apache.commons.logging.impl.SimpleLog");
System.setProperty
("org.apache.commons.logging.simplelog.showdatetime",
"true");
System.setProperty
("org.apache.commons.logging.simplelog.log.httpclient.wire.header",
"debug");
System.setProperty
("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
"debug");
HttpClient httpclient = new HttpClient();
// set the proxy host and port
httpclient.getHostConfiguration().setProxy("XXXPROXYHOSTXXX", 80);
// tried this, triggers BASIC authentication automatically
// httpclient.getParams().setAuthenticationPreemptive(true);
// not sure if the following applies to proxy authentication
List authPrefs = new ArrayList(1);
authPrefs.add(AuthPolicy.NTLM);
httpclient.getParams().setParameter
(AuthPolicy.AUTH_SCHEME_PRIORITY,
authPrefs);
//
// set the proxy credentials
//
httpclient.getState().setProxyCredentials(
new AuthScope(AuthScope.ANY_HOST, 80, AuthScope.ANY_REALM),
new NTCredentials("XXXUSERNAMEXXX",
"XXXPASSSWORDXXX",
"","XXXDOMAINXXXcom")
);
GetMethod get = new GetMethod("http://www.google.com/");
get.setFollowRedirects(true);
int status = httpclient.executeMethod(get);
System.out.println(status);
...
Here's the scrubbed debug trace -
Frankly I'm stumped as to why the credentials provided are not being accepted.
I would be very grateful for any assistance
-------------------------------------------------------------------------------------------
2008/03/05 13:53:35:576 PST [DEBUG] header - ->> "GET
http://www.google.com/ HTTP/1.1[\r][\n]"
2008/03/05 13:53:35:576 PST [DEBUG] HttpMethodBase - -Adding Host request header
2008/03/05 13:53:35:766 PST [DEBUG] header - ->> "User-Agent: Jakarta
Commons-HttpClient/3.1[\r][\n]"
2008/03/05 13:53:35:766 PST [DEBUG] header - ->> "Host: www.google.com[\r][\n]"
2008/03/05 13:53:35:766 PST [DEBUG] header - ->> "Proxy-Connection:
Keep-Alive[\r][\n]"
2008/03/05 13:53:35:766 PST [DEBUG] header - ->> "[\r][\n]"
2008/03/05 13:53:35:786 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:35:786 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Proxy-Authenticate:
NTLM[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Proxy-Authenticate:
BASIC realm="internet"[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Cache-Control:
no-cache[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Pragma: no-cache[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Content-Type:
text/html; charset=utf-8[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Proxy-Connection:
close[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Set-Cookie:
BCSI-CS-09B86D4CBE53A54D=2; Path=/[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Connection: close[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "Content-Length: 813[\r][\n]"
2008/03/05 13:53:35:816 PST [DEBUG] header - -<< "[\r][\n]"
2008/03/05 13:53:35:856 PST [DEBUG] HttpMethodBase - -Cookie accepted:
"$Version=0; BCSI-CS-09B86D4CBE53A54D=2; $Path=/"
2008/03/05 13:53:35:896 PST [DEBUG] HttpMethodDirector - -Authorization required
2008/03/05 13:53:35:936 PST [DEBUG] AuthChallengeProcessor -
-Supported authentication schemes in the order of preference: [NTLM]
2008/03/05 13:53:35:936 PST [INFO] AuthChallengeProcessor - -NTLM
authentication scheme selected
2008/03/05 13:53:36:016 PST [DEBUG] AuthChallengeProcessor - -Using
authentication scheme: ntlm
2008/03/05 13:53:36:016 PST [DEBUG] AuthChallengeProcessor -
-Authorization challenge processed
2008/03/05 13:53:36:016 PST [DEBUG] HttpMethodDirector - -Proxy
authentication scope: NTLM <any realm>@XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:016 PST [DEBUG] HttpMethodDirector - -Retry authentication
2008/03/05 13:53:36:016 PST [DEBUG] HttpMethodBase - -Should close
connection in response to directive: close
2008/03/05 13:53:36:016 PST [DEBUG] HttpConnection - -Connection is
locked. Call to releaseConnection() ignored.
2008/03/05 13:53:36:016 PST [DEBUG] HttpMethodDirector -
-Authenticating with NTLM <any realm>@XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:057 PST [DEBUG] HttpMethodParams - -Credential
charset not configured, using HTTP element charset
2008/03/05 13:53:36:067 PST [DEBUG] HttpConnection - -Open connection
to XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:067 PST [DEBUG] header - ->> "GET
http://www.google.com/ HTTP/1.1[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodBase - -Adding Host request header
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "User-Agent: Jakarta
Commons-HttpClient/3.1[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "Proxy-Connection:
Keep-Alive[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "Proxy-Authorization:
NTLM TlRMTVNTUAABAAAABlIAAAQABAAgAAAAAAAAACAAAABWSVNB[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "Host: www.google.com[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "Cookie: $Version=0;
BCSI-CS-09B86D4CBE53A54D=2; $Path=/[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - ->> "[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Proxy-Authenticate:
NTLM TlRMTVNTUAACAAAABAAEADgAAAAGAoECoZLHmGBVaxAAAAAAAAAAAG4AbgA8AAAABQCTCAAAAA9WSVNBAgAIAFYASQBTAEEAAQAYAFMAVwA3ADIAMABGAEwAVABSAFcAMAAxAAQAEAB2AGkAcwBhAC4AYwBvAG0AAwAqAHMAdwA3ADIAMABmAGwAdAByAHcAMAAxAC4AdgBpAHMAYQAuAGMAbwBtAAAAAAA=[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Cache-Control:
no-cache[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Pragma: no-cache[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Content-Type:
text/html; charset=utf-8[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Proxy-Connection:
Keep-Alive[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Set-Cookie:
BCSI-CS-09B86D4CBE53A54D=2; Path=/[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Connection:
Keep-Alive[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "Content-Length: 830[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] header - -<< "[\r][\n]"
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodBase - -Cookie accepted:
"$Version=0; BCSI-CS-09B86D4CBE53A54D=2; $Path=/"
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodDirector - -Authorization required
2008/03/05 13:53:36:077 PST [DEBUG] AuthChallengeProcessor - -Using
authentication scheme: ntlm
2008/03/05 13:53:36:077 PST [DEBUG] AuthChallengeProcessor -
-Authorization challenge processed
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodDirector - -Proxy
authentication scope: NTLM <any realm>@XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodDirector - -Retry authentication
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodBase - -Should NOT close
connection in response to directive: Keep-Alive
2008/03/05 13:53:36:077 PST [DEBUG] HttpConnection - -Connection is
locked. Call to releaseConnection() ignored.
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodDirector -
-Authenticating with NTLM <any realm>@XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:077 PST [DEBUG] HttpMethodParams - -Credential
charset not configured, using HTTP element charset
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "GET
http://www.google.com/ HTTP/1.1[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] HttpMethodBase - -Adding Host request header
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "User-Agent: Jakarta
Commons-HttpClient/3.1[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "Proxy-Connection:
Keep-Alive[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "Proxy-Authorization:
NTLM TlRMTVNTUAADAAAAGAAYAEwAAAAAAAAAZAAAAAQABABAAAAACAAIAEQAAAAAAAAATAAAAAAAAABkAAAABlIAAFZJU0FKSkFNSVNPTgFYy21YQMxayqbIo0s6cfIvS1XjxZwa9g==[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "Host: www.google.com[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "Cookie: $Version=0;
BCSI-CS-09B86D4CBE53A54D=2; $Path=/[\r][\n]"
2008/03/05 13:53:36:768 PST [DEBUG] header - ->> "[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "HTTP/1.1 407 Proxy
Authentication Required[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "Proxy-Authenticate:
NTLM[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "Cache-Control:
no-cache[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "Pragma: no-cache[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "Content-Type:
text/html; charset=utf-8[\r][\n]"
2008/03/05 13:53:36:818 PST [DEBUG] header - -<< "Proxy-Connection:
close[\r][\n]"
2008/03/05 13:53:36:828 PST [DEBUG] header - -<< "Set-Cookie:
BCSI-CS-09B86D4CBE53A54D=2; Path=/[\r][\n]"
2008/03/05 13:53:36:828 PST [DEBUG] header - -<< "Connection: close[\r][\n]"
2008/03/05 13:53:36:828 PST [DEBUG] header - -<< "Content-Length: 825[\r][\n]"
2008/03/05 13:53:36:828 PST [DEBUG] header - -<< "[\r][\n]"
2008/03/05 13:53:36:828 PST [DEBUG] HttpMethodBase - -Cookie accepted:
"$Version=0; BCSI-CS-09B86D4CBE53A54D=2; $Path=/"
2008/03/05 13:53:36:828 PST [DEBUG] HttpMethodDirector - -Authorization required
2008/03/05 13:53:36:828 PST [DEBUG] AuthChallengeProcessor - -Using
authentication scheme: ntlm
2008/03/05 13:53:36:828 PST [DEBUG] AuthChallengeProcessor -
-Authorization challenge processed
2008/03/05 13:53:36:828 PST [DEBUG] HttpMethodDirector - -Proxy
authentication scope: NTLM <any realm>@XXXPROXYHOSTXXX:80
2008/03/05 13:53:36:828 PST [DEBUG] HttpMethodDirector - -Proxy
credentials required
2008/03/05 13:53:36:828 PST [DEBUG] HttpMethodDirector - -Proxy
credentials provider not available
2008/03/05 13:53:36:828 PST [INFO] HttpMethodDirector - -Failure
authenticating with NTLM <any realm>@XXXPROXYHOST:80
--
John Jamison
jljamison@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: ntlm proxy authentication question
Posted by John Jamison <jl...@gmail.com>.
I thought about that, yet in this situation neither the Type 1 nor the
Type 2 message includes the Negotiate_NTLM2_Key flag.
However, when firefox or IE talks to the same proxy, the type 1
message includes Negotiate_NTLM2_Key as does the type 2 message.
If the proxy were required to use NTLM2, wouldn't it return that flag
set in the type 2?
The type 1 message has the following flags set:
Negotiate_Domain_Supplied,Negotiate_Local_Call,Negotiate_NTLM,Negotiate_OEM,Request_Target
And the type 2 messge has the following flags set:
Negotiate_NTLM,Negotiate_OEM,Negotiate_Target_Info,Request_Target,Target_Type_Domain
I see in the log I sent where it says Credential Charset not provided.
using HTTP element charset.
I'm not sure if that charset is the same as "OEM" [Ascii]. I could see
how the server would reject the password hash if it is hashed with the
wrong charset.
I recognize that the httpclient 3.x NTLM support is sort of a boat
anchor and that the true solution will be with httpclient 4.x if and
when it supports NTLM
Thanks
JJ
On 3/7/08, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> On Wed, 2008-03-05 at 14:03 -0800, John Jamison wrote:
> > I was ohh so close - I am attempting to code a simple app that
> > performs NTLM proxy authentication against a proxy server that
> > supports NTLM and basic authentication.
> >
> > It took me some time to determine the correct value for the Domain
> > field in the NTCredentials instance, but decoding the NTLM message 2
> > structure gave it to me (its the NT domain name).
> >
> > Now though it seems I still always get 407 responses.
> >
> > Here's the code:
> >
> > System.setProperty("org.apache.commons.logging.Log",
> > "org.apache.commons.logging.impl.SimpleLog");
> > System.setProperty
> > ("org.apache.commons.logging.simplelog.showdatetime",
> > "true");
> > System.setProperty
> >
> > ("org.apache.commons.logging.simplelog.log.httpclient.wire.header",
> > "debug");
> > System.setProperty
> > ("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
> > "debug");
> >
> > HttpClient httpclient = new HttpClient();
> >
> > // set the proxy host and port
> > httpclient.getHostConfiguration().setProxy("XXXPROXYHOSTXXX", 80);
> >
> > // tried this, triggers BASIC authentication automatically
> > // httpclient.getParams().setAuthenticationPreemptive(true);
> >
> > // not sure if the following applies to proxy authentication
> > List authPrefs = new ArrayList(1);
> > authPrefs.add(AuthPolicy.NTLM);
> > httpclient.getParams().setParameter
> > (AuthPolicy.AUTH_SCHEME_PRIORITY,
> > authPrefs);
> >
> > //
> > // set the proxy credentials
> > //
> > httpclient.getState().setProxyCredentials(
> > new AuthScope(AuthScope.ANY_HOST, 80, AuthScope.ANY_REALM),
> > new NTCredentials("XXXUSERNAMEXXX",
> > "XXXPASSSWORDXXX",
> > "","XXXDOMAINXXXcom")
> > );
> >
> > GetMethod get = new GetMethod("http://www.google.com/");
> > get.setFollowRedirects(true);
> >
> > int status = httpclient.executeMethod(get);
> >
> > System.out.println(status);
> > ...
> >
> > Here's the scrubbed debug trace -
> >
> > Frankly I'm stumped as to why the credentials provided are not being accepted.
> >
>
> John,
>
> Quite likely because the server has been configured to accept NTLMv2
> authentication only, whereas HttpClient supports NTLMv1 only
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
John Jamison
jljamison@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: ntlm proxy authentication question
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2008-03-05 at 14:03 -0800, John Jamison wrote:
> I was ohh so close - I am attempting to code a simple app that
> performs NTLM proxy authentication against a proxy server that
> supports NTLM and basic authentication.
>
> It took me some time to determine the correct value for the Domain
> field in the NTCredentials instance, but decoding the NTLM message 2
> structure gave it to me (its the NT domain name).
>
> Now though it seems I still always get 407 responses.
>
> Here's the code:
>
> System.setProperty("org.apache.commons.logging.Log",
> "org.apache.commons.logging.impl.SimpleLog");
> System.setProperty
> ("org.apache.commons.logging.simplelog.showdatetime",
> "true");
> System.setProperty
>
> ("org.apache.commons.logging.simplelog.log.httpclient.wire.header",
> "debug");
> System.setProperty
> ("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
> "debug");
>
> HttpClient httpclient = new HttpClient();
>
> // set the proxy host and port
> httpclient.getHostConfiguration().setProxy("XXXPROXYHOSTXXX", 80);
>
> // tried this, triggers BASIC authentication automatically
> // httpclient.getParams().setAuthenticationPreemptive(true);
>
> // not sure if the following applies to proxy authentication
> List authPrefs = new ArrayList(1);
> authPrefs.add(AuthPolicy.NTLM);
> httpclient.getParams().setParameter
> (AuthPolicy.AUTH_SCHEME_PRIORITY,
> authPrefs);
>
> //
> // set the proxy credentials
> //
> httpclient.getState().setProxyCredentials(
> new AuthScope(AuthScope.ANY_HOST, 80, AuthScope.ANY_REALM),
> new NTCredentials("XXXUSERNAMEXXX",
> "XXXPASSSWORDXXX",
> "","XXXDOMAINXXXcom")
> );
>
> GetMethod get = new GetMethod("http://www.google.com/");
> get.setFollowRedirects(true);
>
> int status = httpclient.executeMethod(get);
>
> System.out.println(status);
> ...
>
> Here's the scrubbed debug trace -
>
> Frankly I'm stumped as to why the credentials provided are not being accepted.
>
John,
Quite likely because the server has been configured to accept NTLMv2
authentication only, whereas HttpClient supports NTLMv1 only
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org