You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Deepak Mishra <dk...@gmail.com> on 2012/12/18 12:52:16 UTC
"Proxy Authentication Required" error in using kerberos
authentication with Proxy Server
Hi,
We need to communicate to an internet URL through a Proxy Server, the Proxy
Server has kerberos authentication integrated with an active directory.
I am using HttpClient-4.2 with JRE 1.6.0_37. When I try to connect to an
internet URL through the Proxy server, it returns "Proxy Authentication
Required" error.
On the other hand, when I try to communicate to a target host which has
kerberos authentication, the communication succeeds.
After debugging I found that in GGSSchemeBase.java, in method
"authenticate" we get the token from KDC and then create a header
"Authorization" with value "Negotiate token(in base 64 encoded format)".
So, using this header the communication with Target Server succeeds but
communication with Proxy Server fails. Because for Proxy Server, the Header
name should be "Proxy-Authenticate".
I have not modified the HttpClient code for my purpose, but it seems that
for successful Proxy Server authentication using kerberos, the header name
in request should be "Proxy-Authenticate".
Can any one please look into this problem and help me in getting a patch
that will work with Proxy Server using Kerberos authentication?
Thank You,
Deepak
Re: Re:
Posted by Deepak Mishra <dk...@gmail.com>.
Thank you very much Oleg.
I got the latest build from following URL
http://archive.apache.org/dist/httpcomponents/httpclient/binary/
I need one more help from you.
Can you please give me a sample program that communicates through proxy
server using kerberos authentication.
I am successfully able to communicate to an internet URL through proxy
server using kerberos authentication, but it asks for UserName and password
twice; although I have specified the username and password in the program.
Following is the sample program.
System.setProperty("java.security.krb5.conf", "krb5.ini");
System.setProperty("java.security.auth.login.config", "spNegoLogin.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("sun.security.krb5.debug", "true");
DefaultHttpClient httpClient = new DefaultHttpClient();
AuthSchemeRegistry authreg = httpClient.getAuthSchemes();
authreg.unregister("Negotiate");
authreg.register("Negotiate", new SPNegoSchemeFactory(true));
httpClient.setAuthSchemes(authreg);
HttpHost httpHost = new HttpHost("proxyserver.test.local", 3128);
httpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY,
httpHost);
CredentialsProvider provider = httpClient.getCredentialsProvider();
AuthScope authScope = new AuthScope("proxyserver.test.local", 3128,
"TEST.LOCAL", AuthPolicy.SPNEGO);
UsernamePasswordCredentials creds = new
UsernamePasswordCredentials("adminusername", "password");
provider.setCredentials(authScope, creds);
HttpUriRequest request = new HttpGet("http://www.google.com");
try {
HttpResponse response = httpClient.execute(request);
BasicResponseHandler handler = new BasicResponseHandler();
String respStr = handler.handleResponse(response);
System.out.println(respStr);
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
thank you.
On Tue, Jan 15, 2013 at 5:12 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> HttpClient 4.2.3 should be available in the Maven central by now. I am
> going to send a formal release announcement in a short while.
>
> Oleg
>
> > On Tue, Jan 8, 2013 at 4:02 PM, dilip <ve...@gmail.com> wrote:
> >
> > > created issue
> > > https://issues.apache.org/jira/browse/HTTPCLIENT-1293
> > > i have tried changing the GGSSchemeBase.java
> > > my change is working in my setup
> > > added my change in comments.
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: Re:
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2013-01-15 at 17:05 +0530, Deepak Mishra wrote:
> Thank you very much Dilip, Oleg.
>
> We need to get latest release of HttpClient 4.2.3 with this bug fix very
> urgently.
>
> Can you please also tell me how to get the latest jar files
> (httpclient-4.2.3.jar etc...) for the latest code
> or
> if I should build jar files locally on my machine then which branch should
> I use to check out the code, and what is the process for building jar files?
>
> Following are the branches I think I should use for the 4.2.3 code but not
> sure if I am correct. Please tell me the correct branch.
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.2.3/
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.2.3-RC1/
>
> http://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.2.3/
> http://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.2.3-RC1/
>
> thank you for helps,
> deepak
>
HttpClient 4.2.3 should be available in the Maven central by now. I am
going to send a formal release announcement in a short while.
Oleg
> On Tue, Jan 8, 2013 at 4:02 PM, dilip <ve...@gmail.com> wrote:
>
> > created issue
> > https://issues.apache.org/jira/browse/HTTPCLIENT-1293
> > i have tried changing the GGSSchemeBase.java
> > my change is working in my setup
> > added my change in comments.
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re:
Posted by Deepak Mishra <dk...@gmail.com>.
Thank you very much Dilip, Oleg.
We need to get latest release of HttpClient 4.2.3 with this bug fix very
urgently.
Can you please also tell me how to get the latest jar files
(httpclient-4.2.3.jar etc...) for the latest code
or
if I should build jar files locally on my machine then which branch should
I use to check out the code, and what is the process for building jar files?
Following are the branches I think I should use for the 4.2.3 code but not
sure if I am correct. Please tell me the correct branch.
http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.2.3/
http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.2.3-RC1/
http://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.2.3/
http://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.2.3-RC1/
thank you for helps,
deepak
On Tue, Jan 8, 2013 at 4:02 PM, dilip <ve...@gmail.com> wrote:
> created issue
> https://issues.apache.org/jira/browse/HTTPCLIENT-1293
> i have tried changing the GGSSchemeBase.java
> my change is working in my setup
> added my change in comments.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re:
Posted by dilip <ve...@gmail.com>.
created issue
https://issues.apache.org/jira/browse/HTTPCLIENT-1293
i have tried changing the GGSSchemeBase.java
my change is working in my setup
added my change in comments.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: "Proxy Authentication Required" error in using kerberos
authentication with Proxy Server
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-12-18 at 17:22 +0530, Deepak Mishra wrote:
> Hi,
> We need to communicate to an internet URL through a Proxy Server, the Proxy
> Server has kerberos authentication integrated with an active directory.
> I am using HttpClient-4.2 with JRE 1.6.0_37. When I try to connect to an
> internet URL through the Proxy server, it returns "Proxy Authentication
> Required" error.
>
> On the other hand, when I try to communicate to a target host which has
> kerberos authentication, the communication succeeds.
> After debugging I found that in GGSSchemeBase.java, in method
> "authenticate" we get the token from KDC and then create a header
> "Authorization" with value "Negotiate token(in base 64 encoded format)".
> So, using this header the communication with Target Server succeeds but
> communication with Proxy Server fails. Because for Proxy Server, the Header
> name should be "Proxy-Authenticate".
>
> I have not modified the HttpClient code for my purpose, but it seems that
> for successful Proxy Server authentication using kerberos, the header name
> in request should be "Proxy-Authenticate".
> Can any one please look into this problem and help me in getting a patch
> that will work with Proxy Server using Kerberos authentication?
>
> Thank You,
> Deepak
Deepak
HttpClient should decide whether to use 'WWW-Authorization' or
'Proxy-Authorization' header based on the authentication challenge
received from the opposite endpoint (be it a proxy of the target host).
GGSSchemeBase class is wrong in always generating 'Authorization'
regardless of the challenge. Please raise a JIRA for this defect.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org