You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by David Castañeda <da...@gmail.com> on 2006/09/15 20:31:17 UTC
NTLM Authentication credentials
Hi all....
A little OFF Topic here i think but I'm getting out of options and ideas so
any ANY help is really helpful...
I'm using HTTP client inside a swing app and the NTLM works great... the
problem I have is that I need to ask for the credentials to the user instead
of getting then from the Windows OS as clients like miranda, or mozilla
does.
Does anybody kwons how to do this.? I mean getting this information from the
OS and in that case how to use it inside HTTP client. is this possible with
HTTP Client... I kwon that for getting the authentication information I'll
have to use some sort of low level API..
any ideas...
thanks a lot.
--
David Castañeda R.
RE: NTLM Authentication credentials
Posted by Mike Wilson <mi...@hotmail.com>.
Sorry, I havent't followed your discussion from the start but here's
my 5c:
HttpClient has quite limited NTLM support, especially no support for
NTLM2 as is used in many enterprise intranets protected by MicroSoft
proxies/firewalls.
There is NTLM2 support in the Windows JDK since 1.4.2. Just use a
standard HttpURLConnection and set the property
"http.auth.ntlm.domain" to your NT domain, then you don't need to
input any username/password at all as this will be sorted out by the
authentication layer.
See: http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html
(But then you will not be using HttpClient at all.)
There are commercial libraries for NTLM support on other platforms
than Windows, see f ex:
http://www.oaklandsoftware.com/product_http/compare.html
//Mike
> -----Original Message-----
> From: David Castañeda [mailto:davidecr@gmail.com]
> Sent: den 18 september 2006 20:56
> To: HttpClient User Discussion
> Subject: Re: NTLM Authentication credentials
>
> Thanks a lot :( I suppose there are some reasons to be like
> this, but I was
> hopping it wasn't beause the JDK seems to support it nicely, one more
> thing... do you know some sort of similar implementation so I
> can solve this
> or a post or an article where HttpClient team explains why?
> so I can justify
> this to my boss?
>
> Sorry all this trouble....
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: NTLM Authentication credentials
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2006-09-18 at 13:56 -0500, David Castañeda wrote:
> Thanks a lot :( I suppose there are some reasons to be like this, but I was
> hopping it wasn't beause the JDK seems to support it nicely, one more
> thing... do you know some sort of similar implementation so I can solve this
> or a post or an article where HttpClient team explains why? so I can justify
> this to my boss?
>
> Sorry all this trouble....
>
David,
NTLM is a legal nightmare which we have neither resources nor incentive
to deal with. HttpClient 4.0 is very likely to provide NTLM support
through a third party library such as JCIFS
Oleg
> On 9/18/06, Roland Weber <ht...@dubioso.net> wrote:
> >
> > Hi David,
> >
> > > it means that even if I get the hash value (In a windows only way) there
> > is
> > > no way to set it to HTTPClient to correctly connect my client under this
> > > circunstances when the client is running on windows OS???
> >
> > Yes, exactly that.
> >
> > cheers,
> > Roland
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: NTLM Authentication credentials
Posted by David Castañeda <da...@gmail.com>.
Thanks a lot for you reply, and thanks for this long explanation, I totally
agree with you. Thanks a lot for your time and patience, and thanks for this
wonderfull component. :)
On 9/18/06, Roland Weber <ht...@dubioso.net> wrote:
>
> Hello David,
>
> > Thanks a lot :( I suppose there are some reasons to be like this, but I
> was
> > hopping it wasn't beause the JDK seems to support it nicely, one more
> > thing... do you know some sort of similar implementation so I can solve
> > this
> > or a post or an article where HttpClient team explains why?
>
> Neither. The HttpClient team is already busy over their heads with
> delivering
> a platform independent solution. NTLM is not even in the scope of
> HttpClient,
> it just happens to be there at least for version 1 of the protocol. We
> don't
> have resources to waste on a platform specific solution that requires
> abusing
> internal, undocumented SUN APIs.
>
> > so I can justify this to my boss?
>
> You could suggest your boss to fund an effort to implement this
> requirement.
> We'd consider adding the code to our unsupported contrib package...
> Just kidding. The legal implications alone would be sufficient not to add
> such code. We recently had to turn down a patch that would have supported
> NTLMv2 since it included code licensed under the LGPL. Dealing with
> internal
> APIs that may have to be reverse-engineered would be a nightmare.
>
> I am spending a considerable amount of my private time on developing
> HttpComponents and supporting HttpClient, and so does Oleg. Right now
> we're the only two active developers in this project. I can't speak for
> Oleg, but I don't feel the tiniest urge to explain to your boss why I
> don't spend my private time on implementing just the feature that he
> would like to use for his business.
>
> You could suggest your boss to complain to Microsoft. If Microsoft would
> release the _full_ specifications for NTLM without licensing trapdoors,
> there would be open source implementations that we could use, and I'm sure
> one of them would also support authenticating with the current user's
> credentials on Windows.
> SUN has signed a licensing contract with Microsoft, they have obtained
> confidential documentation about NTLM, and they have paid developers to
> implement and test code that supports it. We're in no position to match
> that effort. And we don't want to, because HttpClient is about HTTP and
> not about cryptographic authentication protocols. If there is an open
> source NTLM implementation under a license that is compatible with the
> APL, we'll make an effort to plug that code into HttpClient. No more.
>
> Sorry to sound snappish, but I'm just in the right mood for that :-)
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
--
David Castañeda R.
RE: NTLM Authentication credentials
Posted by Mike Wilson <mi...@hotmail.com>.
I think there is a problem that NTLM is such a small obscure detail for
many software developers that they don't realize that they exclude
Microsoft networks when choosing to develop with HttpClient. I have
gone through an opinion transition myself when I started to work for a
big corporation a couple of years ago.
Before starting there I couldn't care less about NTLM, but after
seeing the effect from the "inside", realizing how many Java programs
based on HttpClient are rendered unusable at work, it opened my eyes.
The very same programs would have worked fine if they had been using
the standard HttpURLConnection from the JDK (since 1.4.2).
And it's unfortunate that it is giving Java a bad name in these
communities.
So guys, please don't get me wrong. I am not saying that you are doing
a bad job. But please understand that there are tens of thousands of
developers and users working behind NTLM2 Microsoft proxy servers, that
can't use their HttpClient-based programs to the full extent. And
probably the creators of these programs weren't even aware of this
limitation as they didn't sit behind an NTLM proxy themselves...
Having hit this limitation a number of times at work, I have been
wondering if it would be possible to somehow have HttpClient use the
JDK's HttpURLConnection, instead of a plain socket? Then HttpClient
would get the same NTLM compatibility as the JDK for free.
I'm sure there are problems, but maybe this could be introduced as
some kind of limited-functionality compatibility mode, transparent to
the calling application? The ideal thing would be if I could set a
global property on the command line to activate this mode and not
having to rely on that the application is somehow "customized" for it.
Even if just doing some kind of hack that only works for 50% of the
cases, I think it would be highly appreciated by the users.
Best regards
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: NTLM Authentication credentials
Posted by Roland Weber <ht...@dubioso.net>.
Hello David,
> Thanks a lot :( I suppose there are some reasons to be like this, but I was
> hopping it wasn't beause the JDK seems to support it nicely, one more
> thing... do you know some sort of similar implementation so I can solve
> this
> or a post or an article where HttpClient team explains why?
Neither. The HttpClient team is already busy over their heads with delivering
a platform independent solution. NTLM is not even in the scope of HttpClient,
it just happens to be there at least for version 1 of the protocol. We don't
have resources to waste on a platform specific solution that requires abusing
internal, undocumented SUN APIs.
> so I can justify this to my boss?
You could suggest your boss to fund an effort to implement this requirement.
We'd consider adding the code to our unsupported contrib package...
Just kidding. The legal implications alone would be sufficient not to add
such code. We recently had to turn down a patch that would have supported
NTLMv2 since it included code licensed under the LGPL. Dealing with internal
APIs that may have to be reverse-engineered would be a nightmare.
I am spending a considerable amount of my private time on developing
HttpComponents and supporting HttpClient, and so does Oleg. Right now
we're the only two active developers in this project. I can't speak for
Oleg, but I don't feel the tiniest urge to explain to your boss why I
don't spend my private time on implementing just the feature that he
would like to use for his business.
You could suggest your boss to complain to Microsoft. If Microsoft would
release the _full_ specifications for NTLM without licensing trapdoors,
there would be open source implementations that we could use, and I'm sure
one of them would also support authenticating with the current user's
credentials on Windows.
SUN has signed a licensing contract with Microsoft, they have obtained
confidential documentation about NTLM, and they have paid developers to
implement and test code that supports it. We're in no position to match
that effort. And we don't want to, because HttpClient is about HTTP and
not about cryptographic authentication protocols. If there is an open
source NTLM implementation under a license that is compatible with the
APL, we'll make an effort to plug that code into HttpClient. No more.
Sorry to sound snappish, but I'm just in the right mood for that :-)
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: NTLM Authentication credentials
Posted by David Castañeda <da...@gmail.com>.
Thanks a lot :( I suppose there are some reasons to be like this, but I was
hopping it wasn't beause the JDK seems to support it nicely, one more
thing... do you know some sort of similar implementation so I can solve this
or a post or an article where HttpClient team explains why? so I can justify
this to my boss?
Sorry all this trouble....
On 9/18/06, Roland Weber <ht...@dubioso.net> wrote:
>
> Hi David,
>
> > it means that even if I get the hash value (In a windows only way) there
> is
> > no way to set it to HTTPClient to correctly connect my client under this
> > circunstances when the client is running on windows OS???
>
> Yes, exactly that.
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
--
David Castañeda R.
Re: NTLM Authentication credentials
Posted by Roland Weber <ht...@dubioso.net>.
Hi David,
> it means that even if I get the hash value (In a windows only way) there is
> no way to set it to HTTPClient to correctly connect my client under this
> circunstances when the client is running on windows OS???
Yes, exactly that.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: NTLM Authentication credentials
Posted by David Castañeda <da...@gmail.com>.
Thanks a lot for your answer,
it means that even if I get the hash value (In a windows only way) there is
no way to set it to HTTPClient to correctly connect my client under this
circunstances when the client is running on windows OS???
again, thanks a lot for your reply.
On 9/16/06, Roland Weber <ht...@dubioso.net> wrote:
>
> Hello David,
>
> > I'm using HTTP client inside a swing app and the NTLM works great... the
> > problem I have is that I need to ask for the credentials to the user
> > instead
> > of getting then from the Windows OS as clients like miranda, or mozilla
> > does.
> >
> > Does anybody kwons how to do this.?
>
> There is no way to do it. No way that is platform independent at all, and
> no way for the Windows platform specifically that does not require
> rewriting
> the whole NTLM authentication code. If you don't believe me, feel free
> to analyze the JDK code for the Windows platform. They don't get the user
> and password. They only get a hash, which is then used somewhere deep in
> the NTLM authentication protocol. And getting the hash of course relies on
> some native code.
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
--
David Castañeda R.
Re: NTLM Authentication credentials
Posted by Roland Weber <ht...@dubioso.net>.
Hello David,
> I'm using HTTP client inside a swing app and the NTLM works great... the
> problem I have is that I need to ask for the credentials to the user
> instead
> of getting then from the Windows OS as clients like miranda, or mozilla
> does.
>
> Does anybody kwons how to do this.?
There is no way to do it. No way that is platform independent at all, and
no way for the Windows platform specifically that does not require rewriting
the whole NTLM authentication code. If you don't believe me, feel free
to analyze the JDK code for the Windows platform. They don't get the user
and password. They only get a hash, which is then used somewhere deep in
the NTLM authentication protocol. And getting the hash of course relies on
some native code.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org