You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by "anir ........." <an...@gmail.com> on 2012/10/11 07:19:54 UTC
Issue with NTLM proxy authentication over Https
Hi,
I am trying to return a secure socket connection from my code if the
authentication through a proxy is successful.
My code is something like this :-
.....
* if (tcp.getProxyUser() != null && tcp.getProxyPassword() != null) {
*
* // add basic authentication header for the proxy*
* authstring = "Basic "*
* + XMLUtils.base64encode((tcp.getProxyUser() + ":" + tcp
*
* .getProxyPassword()).getBytes());*
* }*
*
*
* //try 3 times*
* for (int i = 0; i <= 2; i++) {*
*
*
* repondChallange(out, connect, authstring);*
*
*
* if (processProxyResponse(is)) {*
* return socket;*
* }*
* Header[] headers = extractHeaders(is);*
* authstring = getAuthString(tcp, port, host, headers);*
* while (is.available() > 0 && is.read() > 0) {*
* // read all*
* }*
* if (closeConnection(headers)) {*
* socket.close();*
* socket = new Socket(tcp.getProxyHost(), proxyPort, null,
0);*
* socket.setTcpNoDelay(true);*
* socket.setSoTimeout(0);*
* is = new BufferedInputStream(socket.getInputStream(),
2048);*
* out = new BufferedOutputStream(socket.getOutputStream(),
2048);*
* }*
.....
The RespondChallange Method writes to the output stream with headers
like User-Agent: , Proxy-Authorization: .
The method* processProxyResponse(is) *checks for the reply from the proxy
server and returns true only if status code of 200 is encountered.
The getAuthString method basically is a generic method which returns the
string based on the authentication Scheme selected and serves as the value
for
*Proxy-Authorization: *header :-
.....
* ConnectMethod method = new ConnectMethod();*
* authstring = authscheme.authenticate(credentials, method);*
.....
My code works fine for Basic,Digest Authentication but fails for NTLM
scheme with Error code :- 407.
Using the JCIFS library it works though.
Just wanted to know if this is a known problem with apache commons
httclient ??
Is there a workaround for this ,since i am not too keen on using JCIFS
library ??
Thanks,
Anirban
RE: Issue with NTLM proxy authentication over Https
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2012-10-11 at 11:53 -0500, Godbey, David J. (HQ-LM020)[DIGITAL
MANAGEMENT INC.] wrote:
> Oleg,
> Wow, you have a proxy client? I should give that a look.
>
> Anirban:
> My problem was this:
> 1. My JAXWS client for the EWS service does not manage authentication because JAXWS itself does not manage authentication.
> 2. To authenticate, I used java.net.Authenticator. However, the Authenticator does not support NTLMv2.
>
> My solution was this:
> 1. Created a local endpoint (servlet) for the JAXWS client instead of the EWS service (EWS endpoint is SSL with NTLMv2).
> 2. The servlet (using HttpClient 4.2) received the raw SOAP request and the list of headers.
> 3. Using httpclient (4.2) pack up a post with the SOAP request, bring over the relevant headers, and send the post to the EWS endpoint.
> 4. The servlet succeeds and receives the SOAP response that it then returns to the JAXWS client.
>
> With that, I am back in business.
>
> Oleg,
> Can I remove my local endpoint servlet, return the JAXWS client to point directly to the EWS SSL NTLMv2 service, and set java -D directives to specify an authenticating proxy that I will build from HttpClient ProxyClient? Can this work?
> Dave
>
Dave,
ProxyClient is probably not a very good name. SSL tunnel client should
be descriptive. The purpose of this client is to create a tunnel through
an HTTP proxy for non-HTTP protocols such as SSH or SMTP. Naturally, it
could also be used for tunneling HTTP messages though an SSL tunnel but
I see very little sense in doing so, as that would give you no advantage
over HttpClient.
What you have is a very reasonable solution based on a reverse proxy
pattern. You should probably stick to it.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Issue with NTLM proxy authentication over Https
Posted by "Godbey, David J. (HQ-LM020)[DIGITAL MANAGEMENT INC.]" <da...@nasa.gov>.
Oleg,
Wow, you have a proxy client? I should give that a look.
Anirban:
My problem was this:
1. My JAXWS client for the EWS service does not manage authentication because JAXWS itself does not manage authentication.
2. To authenticate, I used java.net.Authenticator. However, the Authenticator does not support NTLMv2.
My solution was this:
1. Created a local endpoint (servlet) for the JAXWS client instead of the EWS service (EWS endpoint is SSL with NTLMv2).
2. The servlet (using HttpClient 4.2) received the raw SOAP request and the list of headers.
3. Using httpclient (4.2) pack up a post with the SOAP request, bring over the relevant headers, and send the post to the EWS endpoint.
4. The servlet succeeds and receives the SOAP response that it then returns to the JAXWS client.
With that, I am back in business.
Oleg,
Can I remove my local endpoint servlet, return the JAXWS client to point directly to the EWS SSL NTLMv2 service, and set java -D directives to specify an authenticating proxy that I will build from HttpClient ProxyClient? Can this work?
Dave
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: Thursday, October 11, 2012 11:07 AM
To: HttpClient User Discussion
Subject: Re: Issue with NTLM proxy authentication over Https
On Thu, 2012-10-11 at 16:44 +0530, anir ......... wrote:
> Hi Dave,
>
> Thanks for your reply but i can't use the cron job in my present
> environment .
> I was looking for some workaround (if any) using httpClient itself.
> Moreover this is a pretty generalized code for all AuthSchemes and so
> i don't want to break the uniformity.
> Thanks for your help .
>
> Regards,
> Anirban
>
Anirban
NTLM scheme is significantly more complex that basic or digest schemes and requires a sequence of three request / response exchanges over a persistent connection. You probably should consider using ProxyClient provided with HttpClient as of release 4.2 or take up on Dave's offer.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Issue with NTLM proxy authentication over Https
Posted by sebb <se...@gmail.com>.
On 12 October 2012 12:10, anir ......... <an...@gmail.com> wrote:
> Thanks For your reply Oleg.
> I tried out ProxyClient as mentioned by you and it seems to work :).
> But i get the following lines in as warnings in my log files :-
>
> *2012-10-12 16:17:56,539 WARN [http-8443-Processor68]
> protocol.RequestProxyAuthentication - NEGOTIATE authentication error:
> Invalid name provided (Mechanism level: Could not load configuration file
> C:\Windows\krb5.ini (The system cannot find the file specified))*
The above message should be a big clue to what is wrong with your setup.
> *2012-10-12 16:17:56,540 WARN [http-8443-Processor68]
> protocol.RequestProxyAuthentication - KERBEROS authentication error:
> Invalid name provided (Mechanism level: Could not load configuration file
> C:\Windows\krb5.ini (The system cannot find the file specified))*
Does the file exist?
> *
> *
> Can you please let me know if there is some problem in the following code.
> ..
>
> * org.apache.http.impl.client.ProxyClient pc = new
> org.apache.http.impl.client.ProxyClient();*
> * org.apache.http.HttpHost proxyHost = new
> org.apache.http.HttpHost(tcp.getProxyHost(), tcp.getProxyPort());*
> * org.apache.http.HttpHost targetHost = new org.apache.http.HttpHost(host,
> port, "https");*
> * org.apache.http.auth.Credentials credentials =
> getNTCredentials(tcp.getProxyUser(), tcp.getProxyPassword());*
> * socket = pc.tunnel(proxyHost, targetHost, credentials);*
> * if (socket.isConnected())*
> * {*
> * return socket;*
> * }*
>
> ...............
>
> Thanks,
> Anirban
>
>
>
> On Thu, Oct 11, 2012 at 8:37 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
>
>> On Thu, 2012-10-11 at 16:44 +0530, anir ......... wrote:
>> > Hi Dave,
>> >
>> > Thanks for your reply but i can't use the cron job in my present
>> > environment .
>> > I was looking for some workaround (if any) using httpClient itself.
>> > Moreover this is a pretty generalized code for all AuthSchemes and so i
>> > don't want to break
>> > the uniformity.
>> > Thanks for your help .
>> >
>> > Regards,
>> > Anirban
>> >
>>
>> Anirban
>>
>> NTLM scheme is significantly more complex that basic or digest schemes
>> and requires a sequence of three request / response exchanges over a
>> persistent connection. You probably should consider using ProxyClient
>> provided with HttpClient as of release 4.2 or take up on Dave's offer.
>>
>> Oleg
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Issue with NTLM proxy authentication over Https
Posted by "anir ........." <an...@gmail.com>.
Thanks For your reply Oleg.
I tried out ProxyClient as mentioned by you and it seems to work :).
But i get the following lines in as warnings in my log files :-
*2012-10-12 16:17:56,539 WARN [http-8443-Processor68]
protocol.RequestProxyAuthentication - NEGOTIATE authentication error:
Invalid name provided (Mechanism level: Could not load configuration file
C:\Windows\krb5.ini (The system cannot find the file specified))*
*2012-10-12 16:17:56,540 WARN [http-8443-Processor68]
protocol.RequestProxyAuthentication - KERBEROS authentication error:
Invalid name provided (Mechanism level: Could not load configuration file
C:\Windows\krb5.ini (The system cannot find the file specified))*
*
*
Can you please let me know if there is some problem in the following code.
..
* org.apache.http.impl.client.ProxyClient pc = new
org.apache.http.impl.client.ProxyClient();*
* org.apache.http.HttpHost proxyHost = new
org.apache.http.HttpHost(tcp.getProxyHost(), tcp.getProxyPort());*
* org.apache.http.HttpHost targetHost = new org.apache.http.HttpHost(host,
port, "https");*
* org.apache.http.auth.Credentials credentials =
getNTCredentials(tcp.getProxyUser(), tcp.getProxyPassword());*
* socket = pc.tunnel(proxyHost, targetHost, credentials);*
* if (socket.isConnected())*
* {*
* return socket;*
* }*
...............
Thanks,
Anirban
On Thu, Oct 11, 2012 at 8:37 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Thu, 2012-10-11 at 16:44 +0530, anir ......... wrote:
> > Hi Dave,
> >
> > Thanks for your reply but i can't use the cron job in my present
> > environment .
> > I was looking for some workaround (if any) using httpClient itself.
> > Moreover this is a pretty generalized code for all AuthSchemes and so i
> > don't want to break
> > the uniformity.
> > Thanks for your help .
> >
> > Regards,
> > Anirban
> >
>
> Anirban
>
> NTLM scheme is significantly more complex that basic or digest schemes
> and requires a sequence of three request / response exchanges over a
> persistent connection. You probably should consider using ProxyClient
> provided with HttpClient as of release 4.2 or take up on Dave's offer.
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: Issue with NTLM proxy authentication over Https
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2012-10-11 at 16:44 +0530, anir ......... wrote:
> Hi Dave,
>
> Thanks for your reply but i can't use the cron job in my present
> environment .
> I was looking for some workaround (if any) using httpClient itself.
> Moreover this is a pretty generalized code for all AuthSchemes and so i
> don't want to break
> the uniformity.
> Thanks for your help .
>
> Regards,
> Anirban
>
Anirban
NTLM scheme is significantly more complex that basic or digest schemes
and requires a sequence of three request / response exchanges over a
persistent connection. You probably should consider using ProxyClient
provided with HttpClient as of release 4.2 or take up on Dave's offer.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Issue with NTLM proxy authentication over Https
Posted by "anir ........." <an...@gmail.com>.
Hi Dave,
Thanks for your reply but i can't use the cron job in my present
environment .
I was looking for some workaround (if any) using httpClient itself.
Moreover this is a pretty generalized code for all AuthSchemes and so i
don't want to break
the uniformity.
Thanks for your help .
Regards,
Anirban
On Thu, Oct 11, 2012 at 4:33 PM, Godbey, David J. (HQ-LM020)[DIGITAL
MANAGEMENT INC.] <da...@nasa.gov> wrote:
> Anirban,
> I have a cron job working that successfully connects to an Exchange Web
> Service via JAXWS protected by NTLMv2. I can post my code if you think it
> will help.
> Dave
>
> -----Original Message-----
> From: anir ......... [mailto:anir1234@gmail.com]
> Sent: Thursday, October 11, 2012 1:20 AM
> To: httpclient-users@hc.apache.org
> Subject: Issue with NTLM proxy authentication over Https
>
> Hi,
>
> I am trying to return a secure socket connection from my code if the
> authentication through a proxy is successful.
> My code is something like this :-
>
> .....
> * if (tcp.getProxyUser() != null && tcp.getProxyPassword() != null)
> {
> *
> * // add basic authentication header for the proxy*
> * authstring = "Basic "*
> * + XMLUtils.base64encode((tcp.getProxyUser() + ":" +
> tcp
> *
> * .getProxyPassword()).getBytes());*
> * }*
> *
> *
> * //try 3 times*
> * for (int i = 0; i <= 2; i++) {*
> *
> *
> * repondChallange(out, connect, authstring);*
> *
> *
> * if (processProxyResponse(is)) {*
> * return socket;*
> * }*
> * Header[] headers = extractHeaders(is);*
> * authstring = getAuthString(tcp, port, host, headers);*
> * while (is.available() > 0 && is.read() > 0) {*
> * // read all*
> * }*
> * if (closeConnection(headers)) {*
> * socket.close();*
> * socket = new Socket(tcp.getProxyHost(), proxyPort, null,
> 0);*
> * socket.setTcpNoDelay(true);*
> * socket.setSoTimeout(0);*
> * is = new BufferedInputStream(socket.getInputStream(),
> 2048);*
> * out = new BufferedOutputStream(socket.getOutputStream(),
> 2048);*
> * }*
> .....
>
> The RespondChallange Method writes to the output stream with headers like
> User-Agent: , Proxy-Authorization: .
> The method* processProxyResponse(is) *checks for the reply from the proxy
> server and returns true only if status code of 200 is encountered.
> The getAuthString method basically is a generic method which returns the
> string based on the authentication Scheme selected and serves as the value
> for
> *Proxy-Authorization: *header :-
>
> .....
> * ConnectMethod method = new ConnectMethod();*
> * authstring = authscheme.authenticate(credentials, method);*
> .....
>
> My code works fine for Basic,Digest Authentication but fails for NTLM
> scheme with Error code :- 407.
>
> Using the JCIFS library it works though.
> Just wanted to know if this is a known problem with apache commons
> httclient ??
> Is there a workaround for this ,since i am not too keen on using JCIFS
> library ??
>
> Thanks,
> Anirban
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
RE: Issue with NTLM proxy authentication over Https
Posted by "Godbey, David J. (HQ-LM020)[DIGITAL MANAGEMENT INC.]" <da...@nasa.gov>.
Anirban,
I have a cron job working that successfully connects to an Exchange Web Service via JAXWS protected by NTLMv2. I can post my code if you think it will help.
Dave
-----Original Message-----
From: anir ......... [mailto:anir1234@gmail.com]
Sent: Thursday, October 11, 2012 1:20 AM
To: httpclient-users@hc.apache.org
Subject: Issue with NTLM proxy authentication over Https
Hi,
I am trying to return a secure socket connection from my code if the authentication through a proxy is successful.
My code is something like this :-
.....
* if (tcp.getProxyUser() != null && tcp.getProxyPassword() != null) {
*
* // add basic authentication header for the proxy*
* authstring = "Basic "*
* + XMLUtils.base64encode((tcp.getProxyUser() + ":" + tcp
*
* .getProxyPassword()).getBytes());*
* }*
*
*
* //try 3 times*
* for (int i = 0; i <= 2; i++) {*
*
*
* repondChallange(out, connect, authstring);*
*
*
* if (processProxyResponse(is)) {*
* return socket;*
* }*
* Header[] headers = extractHeaders(is);*
* authstring = getAuthString(tcp, port, host, headers);*
* while (is.available() > 0 && is.read() > 0) {*
* // read all*
* }*
* if (closeConnection(headers)) {*
* socket.close();*
* socket = new Socket(tcp.getProxyHost(), proxyPort, null,
0);*
* socket.setTcpNoDelay(true);*
* socket.setSoTimeout(0);*
* is = new BufferedInputStream(socket.getInputStream(),
2048);*
* out = new BufferedOutputStream(socket.getOutputStream(),
2048);*
* }*
.....
The RespondChallange Method writes to the output stream with headers like User-Agent: , Proxy-Authorization: .
The method* processProxyResponse(is) *checks for the reply from the proxy server and returns true only if status code of 200 is encountered.
The getAuthString method basically is a generic method which returns the string based on the authentication Scheme selected and serves as the value for
*Proxy-Authorization: *header :-
.....
* ConnectMethod method = new ConnectMethod();*
* authstring = authscheme.authenticate(credentials, method);*
.....
My code works fine for Basic,Digest Authentication but fails for NTLM scheme with Error code :- 407.
Using the JCIFS library it works though.
Just wanted to know if this is a known problem with apache commons httclient ??
Is there a workaround for this ,since i am not too keen on using JCIFS library ??
Thanks,
Anirban
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org