You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by "Welty, Richard" <rw...@ltionline.com> on 2012/10/10 16:03:32 UTC
preemptive authentication issue
I have worked through the RSA issue; it was an odd ball interaction between the Fuse ESB environment and the jdk that was causing SunJCE to not be registered properly. Thanks to those who helped.
However, I am having all kinds of problems getting preemptive authentication to work with the service now site, and I don't have much time left to get it working. Can anyone offer any suggestions on how to do this? Service now does not do interactive auth, I have no choice but to do preemptive, but I followed the example here:
http://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java
and I'm getting this back, which is the expected response when credentials are not supplied preemptively. I can access the site with curl when I specify the username/password (admin/admin) on the command line.
ServiceNow CI results = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Authentication required!</title><link rev="made" href="mailto:operations@service-now.com" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { font-family: Arial, Helvetica, sans-serif; font-size: 9pt; font-style: normal; font-weight: normal; color: #888888; background-color: #ffffff;}.oneColFixCtr #container { width: 700px; background: #ffffff; margin: 0 auto; border: 1px solid #ebebeb; text-align: left; }.heading { font: 18px Arial, Verdana, Helvetica, sans-serif; color: #000;}.heading2 { font: 16px Arial, Verdana, Helvetica, sans-serif; color: #404040;}.subheading { font: 14px Arial, Verdana, Helvetica, sans-serif; color: #000;}.hRule hr{ border: 1px solid #ebebeb;}a { color: #3366cc;}a: HOVER { color: #3366cc;}table{ background-color: #ffffff;}td{ text-align: left; vertical-align: top;}/*]]>*/--></style></head><body> <div align="center" width="700" border="0"> <table width="700"> <tr> <td><img src="https://www.service-now.com/images/email_img/ErrorBannerHTTP.png"/></td> </tr> <tr> <td> <div id="mainContent"> <br /><br /> <span class="heading" >Authentication required!</span><br /><br /> <table> <tr> <td colspan="2"> <p> This server could not verify that you are authorized to access the URL "/cmdb_ci_list.do". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. In case you are allowed to request the document, please check your user-id and password and try again. </p> <p> Please contact<a href="mailto:<su...@service-now.com>">Service-now Customer Support</a> with any questions. </p> <address> <a href="/">demo04.service-now.com</a><br /> </address> </td> </tr> </table> </div> </td> </tr> </table> </div></body></html>
^C
Re: preemptive authentication issue
Posted by "Stephen J. Butler" <st...@gmail.com>.
On Wed, Oct 10, 2012 at 2:29 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> @Stephen
> Make sure you are not affected by HTTPCLIENT-1215. The downside of this
> approach is that HttpClient will not retry authentication by using
> another scheme in case of preemptive authentication failure.
I am relying on the default port as part of the URL. So that's
probably the issue.
Honestly, it was my client software talking to my server software. So
I wasn't really concerned about retries with another auth scheme, etc.
Either it was going to succeed the first time or it wasn't going to at
all :)
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: preemptive authentication issue
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2012-10-10 at 10:24 -0500, Stephen J. Butler wrote:
> On Wed, Oct 10, 2012 at 9:03 AM, Welty, Richard <rw...@ltionline.com> wrote:
> > However, I am having all kinds of problems getting preemptive authentication to work with the service now site, and I don't have much time left to get it working. Can anyone offer any suggestions on how to do this? Service now does not do interactive auth, I have no choice but to do preemptive, but I followed the example here:
>
> I never got pre-emptive auth working either. What I did was construct
> the Basic Auth header manually and add it to the request myself. Works
> fine, and the code seemed just as long (or shorter) than the code
> example given for pre-emptive auth.
>
> http://en.wikipedia.org/wiki/Basic_access_authentication
>
@Stephen
Make sure you are not affected by HTTPCLIENT-1215. The downside of this
approach is that HttpClient will not retry authentication by using
another scheme in case of preemptive authentication failure.
@Jason
One can also use internal HttpClient logging facility to produce packet
wire dump along with some contextual details that can come quite handy.
@Richard
Make sure you are not affected by HTTPCLIENT-1215. If the default port
value (-1) is not the culprit, post a wire / context log of the session
and I'll have a look at it.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: preemptive authentication issue
Posted by "Stephen J. Butler" <st...@gmail.com>.
On Wed, Oct 10, 2012 at 9:03 AM, Welty, Richard <rw...@ltionline.com> wrote:
> However, I am having all kinds of problems getting preemptive authentication to work with the service now site, and I don't have much time left to get it working. Can anyone offer any suggestions on how to do this? Service now does not do interactive auth, I have no choice but to do preemptive, but I followed the example here:
I never got pre-emptive auth working either. What I did was construct
the Basic Auth header manually and add it to the request myself. Works
fine, and the code seemed just as long (or shorter) than the code
example given for pre-emptive auth.
http://en.wikipedia.org/wiki/Basic_access_authentication
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: preemptive authentication issue
Posted by Jason Gionta <jj...@ncsu.edu>.
I don't have any insight into the problem, but I would debug it by running
wireshark, and comparing the curl http request to the HTTPclient request.
On Wed, Oct 10, 2012 at 10:03 AM, Welty, Richard <rw...@ltionline.com>wrote:
> I have worked through the RSA issue; it was an odd ball interaction
> between the Fuse ESB environment and the jdk that was causing SunJCE to not
> be registered properly. Thanks to those who helped.
>
> However, I am having all kinds of problems getting preemptive
> authentication to work with the service now site, and I don't have much
> time left to get it working. Can anyone offer any suggestions on how to do
> this? Service now does not do interactive auth, I have no choice but to do
> preemptive, but I followed the example here:
>
>
> http://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java
>
> and I'm getting this back, which is the expected response when credentials
> are not supplied preemptively. I can access the site with curl when I
> specify the username/password (admin/admin) on the command line.
>
> ServiceNow CI results = <?xml version="1.0"
> encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
> Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html
> xmlns="http://www.w3.org/1999/xhtml" lang="en"
> xml:lang="en"><head><title>Authentication required!</title><link rev="made"
> href="mailto:operations@service-now.com" /><style
> type="text/css"><!--/*--><![CDATA[/*><!--*/ body { font-family: Arial,
> Helvetica, sans-serif; font-size: 9pt; font-style: normal;
> font-weight: normal; color: #888888; background-color:
> #ffffff;}.oneColFixCtr #container { width: 700px; background: #ffffff;
> margin: 0 auto; border: 1px solid #ebebeb; text-align:
> left; }.heading { font: 18px Arial, Verdana, Helvetica, sans-serif;
> color: #000;}.heading2 { font: 16px Arial, Verdana, Helvetica,
> sans-serif; color: #404040;}.subheading { font: 14px Arial,
> Verdana, Helvetica, sans-serif; color: #000;}.hRule hr{ border: 1px
> solid #ebebeb;}a { color: #3366cc;}a: HOVER { color: #3366cc;}table{
> background-color: #ffffff;}td{ text-align: left; vertical-align:
> top;}/*]]>*/--></style></head><body> <div align="center" width="700"
> border="0"> <table width="700"> <tr> <td><img src="
> https://www.service-now.com/images/email_img/ErrorBannerHTTP.png"/></td>
> </tr> <tr> <td> <div id="mainContent"> <br /><br />
> <span class="heading" >Authentication required!</span><br /><br />
> <table> <tr> <td colspan="2"> <p>
> This server could not verify that you are authorized to access the URL
> "/cmdb_ci_list.do". You either supplied the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the
> credentials required. In case you are allowed to request the document,
> please check your user-id and password and try again.
> </p> <p> Please contact<a href="mailto:<
> support@service-now.com>">Service-now Customer Support</a> with any
> questions. </p> <address> <a
> href="/">demo04.service-now.com</a><br /> </address> </td>
> </tr> </table> </div> </td> </tr> </table>
> </div></body></html>
> ^C
>
--
Jason Gionta
Cyber Defense Lab
North Carolina State University
jjgionta@ncsu.edu
RE: preemptive authentication issue
Posted by "Welty, Richard" <rw...@ltionline.com>.
>However, I am having all kinds of problems getting preemptive authentication to work with the service now site
I have resolved the issue. At one point in this process, I tried a HttpClient wrapper that was supposed to handle self signed and/or wildcarded certificates. It turns out that this wrapper wasn't needed for ServiceNow. It also turned out that the wrapper interfered with preemptive auth. Once I removed the wrapper, it worked beautifully (except for the bugs in my code, which are another issue entirely.)
Thanks everyone,
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org