NTLM Authentication

["Russell, Brian" <Br...@mottmac.com>]

I posted to the axis-user group recently, enquiring about support within
Axis for using proxies that mandate using NTLM. There was no response to
my post.

To give a little bit of background, we have a major customer for whom we
have developed a client server application. The requirements were to
allow the clients to operate over their corporate internet connection to
a remote server. Their security restrictions mandated using http, and
port 80 as the external server port to allow access through their
firewall. We developed the system using Axis, as this gave us a head
start remoting our method calls, and keeping within the comms
requirements.

However, when we have gone to install the system, the clients MS proxy
server is inhibiting the http requests that our Axis client is making,
because it fails to authenticate with the proxy using NTLM.

We have done some experimentation using the standard Java class
java.net.URLConnection, and with JDK 1.4.2 upwards, this succesfully
authenticates with the proxy using NTLM.

I am therefore trying to understand why the authentication is not
happening with Axis. Does axis internally have it's own replacement for
the Java URLConnection which is why the support from JDK1.4.2 is not
automatically being picked up?

I have not tried the Axis 1.2 alpha yet. Is it likely that this will
support NTLM proxies? If not, how big a job is it to add this support?
Is it something that I could do (with a reasonably limited understanding
of the Axis internals) and then add back to CVS? Is it something that is
planned (albeit NTLM is quite out dated, and from what I can gather, not
particularily secure)?

If I can't use Axis, my other options are to implement custom http
request/response message handling, which I would very much like to avoid
doing.

Any comments or help would be appreciated.

Thanks,

Brian.

Re: NTLM Authentication

[Steve Loughran <st...@iseran.com>]

Russell, Brian wrote:

> I posted to the axis-user group recently, enquiring about support within
> Axis for using proxies that mandate using NTLM. There was no response to
> my post.
> 
> To give a little bit of background, we have a major customer for whom we
> have developed a client server application. The requirements were to
> allow the clients to operate over their corporate internet connection to
> a remote server. Their security restrictions mandated using http, and
> port 80 as the external server port to allow access through their
> firewall. We developed the system using Axis, as this gave us a head
> start remoting our method calls, and keeping within the comms
> requirements.
> 
> However, when we have gone to install the system, the clients MS proxy
> server is inhibiting the http requests that our Axis client is making,
> because it fails to authenticate with the proxy using NTLM.
> 
> We have done some experimentation using the standard Java class
> java.net.URLConnection, and with JDK 1.4.2 upwards, this succesfully
> authenticates with the proxy using NTLM.
> 
> I am therefore trying to understand why the authentication is not
> happening with Axis. Does axis internally have it's own replacement for
> the Java URLConnection which is why the support from JDK1.4.2 is not
> automatically being picked up?
> 
> I have not tried the Axis 1.2 alpha yet. Is it likely that this will
> support NTLM proxies? If not, how big a job is it to add this support?
> Is it something that I could do (with a reasonably limited understanding
> of the Axis internals) and then add back to CVS? Is it something that is
> planned (albeit NTLM is quite out dated, and from what I can gather, not
> particularily secure)?

I dont think anyone has played with NTLM recently -or been in a position 
to test it, more critically. Axis will work with HttpClient from 
jakarta.apache.org - this may have better NTLM support than java1.4.2, 
which only supports NTLM on windows.

> If I can't use Axis, my other options are to implement custom http
> request/response message handling, which I would very much like to avoid
> doing.

no, you dont want to do that :)