CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

HI,

I read the CXF article which suggests that for Java 6 NTLM is natively
supported. But I am not sure if I understand it correctly.

What I mean is that do we have to set AuthorizationType to something after
creating the AuthorizationPolicy class? or do we need to extend the
Java.net.Authenticator class and set Authenticator.setDefault to the new
instance of the extended class? I tried this extension route but did not see
the call coming to this method.

My Junit test keep failing where it keeps grabbing my logged in windows ID
and passing it to the web service and failing.

Is there any additional step I am missing here? Like hooking up the extended
class to AuthorizationPolicy or something?

Any insight on this is highy appreciated. If there is no workaround should I
try the jcifs route which was suggested for Java 5?

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263002.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

What I got is something like this: (I changed the actual username, domain to
MYDOMAIN\MYUSERNAME in the post)

The permissions granted to user 'MYDOAMIN\MYUSERNAME' are insufficient for
performing this operation. --->
Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The
permissions granted to user 'MYDOMAIN\MYUSERNAME' are insufficient for
performing this operation.
	at
org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:114)
	at
org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59)
	at
org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46)
	at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
	at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:99)
	at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
	at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
	at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:700)
	at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2261)
	at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2134)
	at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1988)
	at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:639)
	at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:487)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263121.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

Did you get this error?

Server returned HTTP response code: 401 for URL: ... 

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263115.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

Yes. Exactly the way you have it here. But as I indicated in my last post, I
am wondering if it has anything to do with my credentials being cached. But
than after my credentials fails shouldn't it use the supplied credentials
either from the Authnticator.setDefault(..) or thru AuthorizationPolicy??

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263119.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

So you did use AuthorizationPolicy like this?

SERVICE_PROXY proxy = ...
					
Client client = ClientProxy.getClient(proxy);
HTTPConduit http = (HTTPConduit) client.getConduit();
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setUserName(NAME);
policy.setPassword(PASS);
http.setAuthorization(policy);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(30000);
httpClientPolicy.setAllowChunking(false);
http.setClient(httpClientPolicy);

Maybe you can try sping configuration I show you earlier..

Authenticator.setDefault(..) works for me but I found spring more elegant. 

But I'm still struggling. Can somebody help me with wlsdLocation, and http
authentication when downloading WSDL??? Conduit works just with invoking
methods..

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263107.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[metatech <me...@gmail.com>]

frantisek.kocun@gmail.com wrote
> 
> So if you set default Authentificator getPasswordAuthentication() is never
> called?
> 

For the record, there is also another layer of credentials caching in
classes sun.net.www.protocol.http.AuthCacheImpl and
sun.net.www.protocol.http.AuthenticationInfo.
On top of that, CXF also registers its own CXFAuthenticator using
Authenticator.setDefault, so only the last registered Authenticator (the CXF
one or your custom one) will win and will actually be called by the JVM HTTP
stack.

metatech



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p5708496.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[metatech <me...@gmail.com>]

frantisek.kocun@gmail.com wrote
> 
> So if you set default Authentificator getPasswordAuthentication() is never
> called?
> 

Beware that the HTTP Keep-Alive option is enabled by default in CXF, which
uses the JVM HttpURLConnection, which itself caches connection for 5 seconds
(see class sun.net.www.http.KeepAliveCache).  A disposed connection on which
an NTLM authentication has already performed can be added to the pool and be
reused later, therefore reusing the existing credentials.

metatech.



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p5708408.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

So if you set default Authentificator getPasswordAuthentication() is never
called? If it is never called I don't know. For me it is called I use
cxf-2.3.3.jar.

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263134.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

I read that article but that suggets that it should try the different auth
schemes. I am not sure if it will try the NTLM first with my cached logged
in windows credentails and than will try again with the supplied credetials
thru Authenticator or AuthorizationPolicy...

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263124.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

I think I should work that way and try all accounts. Read 
http://download.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
this .


 But I'm also lame just playing 2nd day with CXF. I subscribed here to solve
my problem.

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263120.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

Is it possible that because of the credentail cache, it keeps using my local
logged on windows credentials and will never try any other credentials?

I do have some rights to the web service in question with my windows account
and I keep seeing the error message that my windows account does not have
access to some protected resource I am trying to access. My understanding
was that once my windows accoutn fails it will try the user account info I
am suppling either thru Autheticator.setDefault(..) or thru
AuthorizationPolicy mechanism. 

Am I correct in my assumption?

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263111.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

Hi,

Thx for your prompt reply!

But let me clarify further. I am trying to use a cxf client which is trying
to hit a service hosted on some other machine. It is actually a sql server
reporting service.

So I extended the Authenticator class, supplied my username, password etc.
and than used the following code: Authenticator.setDefault(instance of my
authextender).

But I do not see the call coming to the extension class. It always keeps
failing complainign on my local logged on user rather than using the custom
username/password I am passing from the extended authenticator class.

Am I missing any steps here?

I also tried to just use the AuthorizationPolicy class, set the
username/password but that also gets the same error.

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263069.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

Hi how I can use NTLM and wsdlLocation in jaxws:client?


	
	

	
		
		
			NAME
			PASSWORD
		
	

If I use http-conduit like this, cxf tries to download WSDL without
authentication. If I omit wsdlLocation it works. But I need to use
wsdlLocation attribute, I have some reasons to do that.. Http-conduit works
just for service invocations.. Please help me. I found a way using
Authenticator.setDefault(..) but I would like to do it all the way in
spring.

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263044.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

["frantisek.kocun@gmail.com" <fr...@gmail.com>]

Yes user Authenticator

Or you can configure service like this (read 
http://cxf.apache.org/docs/jax-ws-configuration.html
http://cxf.apache.org/docs/jax-ws-configuration.html  )

	
	
	
		
		
			NAME
			PASSWORD
		
	

Problem is when you would like to use wsdlLocation in jaxws:client ..

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4263039.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: CXF and NTLM on Java 6

[thanmalv <th...@yahoo.com>]

This issue is resolved. I was able to turn on basic auth for the actuka
service which allowed me to use AutorizatonPolicy class and read the values
I am passing thru it.

As my service and client are internal, I am OK using this mechanism. Also I
needed to use different credentials passed from the CXf client to the
calling service. As the NTLM was more at TCP level, it won't allow me to do
that so the basic auth works perfectly for me in this scenario.

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-and-NTLM-on-Java-6-tp4263002p4264643.html
Sent from the cxf-user mailing list archive at Nabble.com.