I found a solution that works, it's a bit of a workaround, but it's working at
least. I'll list it here for the benefit of anyone who might be interested in
something similar. Also, Oleg, thanks ever so much for the help today, you were
immensely helpful in getting me on the right path. Thank you. I am going to
deploy this code with the workaround described below so don't overwork yourself
to get that feature in immediately. I'll put it in Bugzilla right now.
The solution is to do this:
1) On the initial query set setDoAuthentication(false).
2) Check the response for a 401 or 407 response.
2a) In case of 407 set setDoAuthentication(true) and set your proxy
credentials like you would normally, let httpclient authenticate NTLM.
2b) In case of 401 use the BasicScheme.authenticate() method to return
the basic authentication string and add an "Authorization" header to accomplish
the basic authentication manually.
3) After executing the NTLM authentication you will get a 401 authentication
challenge from the site so the code must be written to ensure that after the
NTML authentication occurs it loops back and checks the authentication response
again and performs the steps for basic authentication.
David
On Wed, 29 Jun 2005 13:12:00 -0700, David Parks wrote:
> Hi Oleg, thanks, I'll put that request in today.
> This helps a lot, at least I know I'm on the right path now.
>
> I am attempting to devise a workaround for this by handling the
> authentication manually (setDoAuthentication(false)).
>
> When I see a 401 error I am processing a basic authentication with
> the site credentials, when I see a 407 error I want to process an
> NTLM authentication with the proxy credentials.
>
> To that end I have the following code that runs after
> httpclient.execute(getmethod) executes. The code below works
> perfectly for the basic authentication (when the proxy is not in
> the picture).
>
> In looking up the Handshake of the NTLM authentication I see that I
> have a problem with the code below since the handshake includes 2
> challenge and authorization steps before the authentication
> succeeds. I'm not clear how I could manually authenticate the NTLM
> response. I would expect the NTLMScheme class to contain a Type 1
> and Type 3 authenticate() method for processing both challenge
> responses. Is there another way of processing the NTLM
> authentication after receiving the initial authentication challenge
> from the server?
>
> //Check for Proxy or Site authentication
> if(getmethod.getStatusCode() == 401){
> //Authenticate to the site using Basic authentication. BasicScheme
> basicscheme = new BasicScheme(); String basic_auth_string =
> basicscheme.authenticate(new NTCredentials("cwftp", "664A754c", "",
> ""), getmethod);
> Header basic_auth_header = new Header("Authorization",
> basic_auth_string); getmethod.addRequestHeader(basic_auth_header);
> try{
> httpclient.executeMethod(getmethod); }catch(Exception e){
> logger.log(Level.SEVERE, "ack!!!!", e); } return getmethod;
> }else if(getmethod.getStatusCode() == 407){ //Authenticate to the
> site using Basic authentication NTLMScheme ntlmscheme = new
> NTLMScheme(); String basic_auth_string =
> ntlmscheme.authenticate(new NTCredentials("00mercbac", "!
>[EMAIL PROTECTED]", "simproxy", "CFC"), getmethod);
> Header basic_auth_header = new Header("Authorization",
> basic_auth_string); getmethod.addRequestHeader(basic_auth_header);
> try{
> httpclient.executeMethod(getmethod); }catch(Exception e){
> logger.log(Level.SEVERE, "ack!!!!", e); } return getmethod; }
>
>
> Thanks,
> David
>
>
> On Wed, 29 Jun 2005 20:00:02 +0200, Oleg Kalnichevski wrote:
>
>> On Wed, Jun 29, 2005 at 10:34:38AM -0700, David Parks wrote:
>>
>>> Thanks for the reply Oleg. This is what I figured, but I cannot
>>> see how to use different authentication schemes for the Proxy
>>> vs. the Site authentication challenge.
>>>
>>> I tried adding the code suggested in the Authentication
>>> tutorial:
>>>
>>> List authPrefs = new ArrayList(2);
>>> authPrefs.add(AuthPolicy.DIGEST);
>>> authPrefs.add(AuthPolicy.BASIC);
>>> authPrefs.add(AuthPolicy.NTLM);
>>> This will exclude the NTLM authentication scheme
>>> httpclient.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, a
>>> uthPrefs);
>>>
>>> I got a message stating that it was attempting BASIC
>>> authentication for the Proxy and that it failed (probably
>>> because the domain doesn't get passed I guess). So my thought
>>> is that I need NTLM for the proxy authentication and Basic
>>> will work for the site authentication.
>>>
>>> The question I am then working on is how to direct the
>>> HttpClient to select that order of authentication methods. If
>>> I let it take NTLM as the preffered authentication method then
>>> it will try to authenticate both challenges with NTLM.
>>>
>>> I sure there is just some little detail I'm missing here
>>> somewhere, it's just hard to find it.
>>>
>>>
>> David,
>>
>> I see the problem. This will require a patch and a new parameter.
>> Luckily the preference API introduced in HttpClient 3.0 allows
>> up to add parameters quite easily. Please file a feature request
>> with Bugzilla ASAP and I'll do my best to hack up a patch before
>> I leave for holidays (that is Friday, July 1st)
>>
>> Oleg
>>
>>> Thanks a lot!
>>> David
>>>
>>>
>>> On Wed, 29 Jun 2005 19:17:24 +0200, Oleg Kalnichevski wrote:
>>>
>>>> ?On Wed, Jun 29, 2005 at 09:53:07AM -0700, David Parks wrote:
>>>>
>>>>> ?Hi all,
>>>>> ?I am trying to authenticate to a server via a proxy which
>>>>> also ?requires authentication. It seems that I can get
>>>>> either the proxy ?authentication to work OR the site
>>>>> authentication to work, but ?not both.
>>>>>
>>>>> ?Both seem to work independently when I set the credentials
>>>>> (or ?proxy credentials) using NTCredentials (e.g. if I
>>>>> connect to the ?site from a network not using a proxy I can
>>>>> get it to work, and I ?can authenticate to the proxy only
>>>>> to get a 401 authentication ?failed from the server when
>>>>> using the proxy).
>>>>>
>>>>> ?I read in the Authentication tutorial that you can't
>>>>> authenticate ?using NTLM to both the proxy and site, so I'm
>>>>> trying various ?combinations of authentication, but I
>>>>> can't find any ?documentation that specifically covers
>>>>> this case and I feel like ?I'm just taking stabs in the
>>>>> dark right now.
>>>>>
>>>> ?David,
>>>>
>>>> ?You _really_ can't use NTLM to authenticate with the proxy
>>>> and the ?target host at the same, due to the nature of this
>>>> authentication ?scheme. Really. That was not a joke.
>>>>
>>>> ?Please consider using one of the following combinations
>>>> instead:
>>>>
>>>> ?(1) BASIC proxy + NTLM host if both the clent and the proxy
>>>> are ?within a trusted network segment
>>>>
>>>> ?(2) NTLM proxy + SSL + BASIC host
>>>>
>>>> ?Both combinations should provide an adequate (or better in
>>>> the ?latter case) security
>>>>
>>>> ?Hope this helps
>>>>
>>>> ?Oleg
>>>>
>>>>>
>>>>> ?If anyone can point me in the direction of the light at
>>>>> the end ?of the tunnel I'd really appreciate it.
>>>>>
>>>>> ?Thanks,
>>>>> ?David
>>>>>
>>>>>
>>>>> ?-----------------------------------------------------------
>>>>> -- ----- ?--- To unsubscribe, e-mail: httpclient-user-
>>>>>[EMAIL PROTECTED] For additional commands, e-
>>>>> mail: [EMAIL PROTECTED]
>>>>>
>>>>>
>>>> ?-------------------------------------------------------------
>>>> -- ----- ?- To unsubscribe, e-mail: httpclient-user-
>>>>[EMAIL PROTECTED] For additional commands, e-
>>>> mail: [EMAIL PROTECTED]
>>>
>>>
>>> ----------------------------------------------------------------
>>> -- --- To unsubscribe, e-mail: httpclient-user-
>>>[EMAIL PROTECTED] For additional commands, e-mail:
>>>[EMAIL PROTECTED]
>>>
>>>
>> ------------------------------------------------------------------
>> -- - To unsubscribe, e-mail: httpclient-user-
>>[EMAIL PROTECTED] For additional commands, e-mail:
>>[EMAIL PROTECTED]
>
>
> --------------------------------------------------------------------
> - To unsubscribe, e-mail: httpclient-user-
>[EMAIL PROTECTED] For additional commands, e-mail:
>[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
