We have been using HttpClient 3.0 release for a few years now. We recently
switched on preemptive authentication:
fHttpClient.getParams().setAuthenticationPreemptive(true);
My best guess is that this causes an issue when attempting to connect via a
proxy requiring authentication. The proxy is an ISA proxy server requiring
NTLM authentication.
Connecting using the same proxy has worked previously (as I confirmed
looking into logs).
I cannot reproduce this with a non NTLM proxy. The application works with
other proxies requiring authentication.
Below is a log, but I changed the proxy server name to hostname.domain.com
(it had same structure).
An IllegalStateException: Authentication state already initialized is
thrown from AuthState.setPreemptive after the user provides the proxy
credentials (see entry 97)
Is this a known issue?
Thanks,
Henrich
...
18 DEBUG 00:10.40 Set parameter http.useragent = Jakarta
Commons-HttpClient/3.0
19 DEBUG 00:10.40 Set parameter http.protocol.version = HTTP/1.1
20 DEBUG 00:10.40 Set parameter http.connection-manager.class = class
org.apache.commons.httpclient.SimpleHttpConnectionManager
21 DEBUG 00:10.40 Set parameter http.protocol.cookie-policy = rfc2109
22 DEBUG 00:10.40 Set parameter http.protocol.element-charset =
US-ASCII
23 DEBUG 00:10.40 Set parameter http.protocol.content-charset =
ISO-8859-1
24 DEBUG 00:10.41 Set parameter http.method.retry-handler =
[EMAIL PROTECTED]
25 DEBUG 00:10.41 Set parameter http.dateparser.patterns = [EEE, dd
MMM yyyy HH:mm:ss zzz, EEEE, dd-MMM-yy HH:mm:ss zzz, EEE MMM d HH:mm:ss
yyyy,
EEE, dd-MMM-yyyy HH:mm:ss z, EEE, dd-MMM-yyyy HH-mm-ss z, EEE, dd MMM yy
HH:mm:ss z, EEE dd-MMM-yyyy HH:mm:ss z, EEE dd MMM yyyy HH:mm:ss z, EEE
dd-MMM-yyyy HH-mm-ss z, EEE dd-MMM-yy HH:mm:ss z, EEE dd MMM yy HH:mm:ss z,
EEE,dd-MMM-yy HH:mm:ss z, EEE,dd-MMM-yyyy HH:mm:ss z, EEE, dd-MM-yyyy
HH:mm:ss z]
26 DEBUG 00:10.41 Java version: 1.5.0
27 DEBUG 00:10.41 Java vendor: IBM Corporation
28 DEBUG 00:10.41 Java class path: C:\RATIONAL\InstallMgr\eclipse
\plugins\org.eclipse.equinox.launcher_1.0.100.v20080303.jar
29 DEBUG 00:10.41 Operating system name: Windows XP
30 DEBUG 00:10.41 Operating system architecture: x86
31 DEBUG 00:10.41 Operating system version: 5.1 build 2600 Service
Pack 2
32 DEBUG 00:10.49 IBMJSSE2 1.5: IBM JSSE provider2 (implements
IbmX509 key/trust factories, SSLv3, TLSv1)
33 DEBUG 00:10.49 IBMJCE 1.2: IBMJCE Provider implements the
following: HMAC-SHA1, MD2, MD5, MARS, SHA, MD2withRSA, MD5withRSA,
SHA1withRSA, RSA,
SHA1withDSA, RC2, RC4, Seal)implements the following:
Signature algorithms : SHA1withDSA, SHA1withRSA, MD5withRSA,
MD2withRSA,
SHA2withRSA, SHA3withRSA,
SHA5withRSA
Cipher algorithms : Blowfish, AES, DES, TripleDES,
PBEWithMD2AndDES,
PBEWithMD2AndTripleDES,
PBEWithMD2AndRC2,
PBEWithMD5AndDES,
PBEWithMD5AndTripleDES,
PBEWithMD5AndRC2, PBEWithSHA1AndDES
PBEWithSHA1AndTripleDES,
PBEWithSHA1AndRC2
PBEWithSHAAnd40BitRC2,
PBEWithSHAAnd128BitRC2
PBEWithSHAAnd40BitRC4,
PBEWithSHAAnd128BitRC4
PBEWithSHAAnd2KeyTripleDES,
PBEWithSHAAnd3KeyTripleDES
Mars, RC2, RC4, ARCFOUR
RSA, Seal
Message authentication code (MAC) : HmacSHA1, HmacSHA256, HmacSHA384,
HmacSHA512, HmacMD2, HmacMD5
Key agreement algorithm : DiffieHellman
Key (pair) generator : Blowfish, DiffieHellman, DSA, AES,
DES, TripleDES, HmacMD5,
HmacSHA1, Mars, RC2, RC4, RSA, Seal,
ARCFOUR
Message digest : MD2, MD5, SHA-1, SHA-256, SHA-384,
SHA-512
Algorithm parameter generator : DiffieHellman, DSA
Algorithm parameter : Blowfish, DiffieHellman, AES, DES,
TripleDES, DSA, Mars,
PBEwithMD5AndDES, RC2
Key factory : DiffieHellman, DSA, RSA
Secret key factory : Blowfish, AES, DES, TripleDES, Mars,
RC2, RC4, Seal, ARCFOUR
PKCS5Key, PBKDF1 and PBKDF2
(PKCS5Derived Key).
Certificate : X.509
Secure random : IBMSecureRandom
Key store : JCEKS, PKCS12KS (PKCS12), JKS
34 DEBUG 00:10.49 IBMJGSSProvider 1.5: IBMJGSSProvider supports
Kerberos V5 Mechanism
35 DEBUG 00:10.49 IBMCertPath 1.1: IBMCertPath Provider implements
the following:
CertificateFactory : X.509
CertPathValidator : PKIX
CertStore : Collection, LDAP
CertPathBuilder : PKIX
36 DEBUG 00:10.49 IBMSASL 1.5: IBM SASL provider(implements client
mechanisms for: DIGEST-MD5, GSSAPI, EXTERNAL, PLAIN, CRAM-MD5; server
mechanisms
for: DIGEST-MD5, GSSAPI, CRAM-MD5)
37 DEBUG 00:10.49 Set parameter
http.authentication.credential-provider =
[EMAIL PROTECTED]
38 DEBUG 00:10.49 Set parameter http.connection-manager.timeout =
30000
39 DEBUG 00:10.49 Set parameter http.socket.timeout = 30000
40 DEBUG 00:10.51 Set parameter http.authentication.preemptive = true
41 DEBUG 00:10.51 Set parameter http.tcp.nodelay = true
42 DEBUG 00:10.51 Set parameter http.connection-manager.max-per-host
= {HostConfiguration[]=4}
43 DEBUG 00:10.51 Set parameter http.connection-manager.max-total =
20
...
45 DEBUG 00:10.51 enter download
(download:https://www.ibm.com/software/rational/repositorymanager/site/repository.xml
to 'C:\DOCUME~1\spnbs\LOCALS~1
\Temp\cicdip_spnbs\1223322774142\nf\cicURLLrepository.xml26203xml'
expectedSize='UNKNOWN'
...
48 DEBUG 00:10.54 Set parameter http.method.retry-handler =
com.ibm.cic.common.transports.httpclient.HttpClientDownloadHandler
[EMAIL PROTECTED]
49 DEBUG 00:10.54 HttpConnectionManager.getConnection: config =
HostConfiguration[host=https://www.ibm.com,
proxyHost=http://hostname.domain.com:8080],
timeout = 30000
50 DEBUG 00:10.54 Allocating new connection,
hostConfig=HostConfiguration[host=https://www.ibm.com,
proxyHost=http://hostname.domain.com:8080]
51 DEBUG 00:10.54 Preemptively sending default basic credentials
52 DEBUG 00:10.55 Authenticating with BASIC <any
realm>@www.ibm.com:443
53 WARNING 00:10.55 Required credentials not available for BASIC
<any realm>@www.ibm.com:443
54 WARNING 00:10.55 Preemptive authentication requested but no
default credentials available
55 DEBUG 00:10.55 Open connection to hostname.domain.com:8080
56 DEBUG 00:10.57 Preemptively sending default basic credentials
57 DEBUG 00:10.57 Authenticating with BASIC <any
realm>@hostname.domain.com:8080
58 WARNING 00:10.57 Required proxy credentials not available for
BASIC <any realm>@hostname.domain.com:8080
59 WARNING 00:10.57 Preemptive authentication requested but no
default proxy credentials available
60 DEBUG 00:10.57 >> "CONNECT www.ibm.com:443 HTTP/1.1"
61 DEBUG 00:10.57 Adding Host request header
62 DEBUG 00:10.57 >> "User-Agent: Jakarta Commons-HttpClient/3.0
[\r][\n]"
63 DEBUG 00:10.59 >> "Host: www.ibm.com[\r][\n]"
64 DEBUG 00:10.59 >> "Proxy-Connection: Keep-Alive[\r][\n]"
65 DEBUG 00:10.59 >> "[\r][\n]"
66 DEBUG 00:10.59 << "HTTP/1.1 407 Proxy Authentication Required
( The ISA Server requires authorization to fulfill the request. Access to
the Web Proxy service is
denied. )[\r][\n]"
67 DEBUG 00:10.59 << "Via: 1.1 HOSTNAME [\r][\n]"
68 DEBUG 00:10.59 << "Proxy-Authenticate: NTLM[\r][\n]"
69 DEBUG 00:10.59 << "Proxy-Authenticate: Basic
realm="hostname.domain.com"[\r][\n]"
70 DEBUG 00:10.59 << "Proxy-Authenticate: Kerberos[\r][\n]"
71 DEBUG 00:10.59 << "Proxy-Authenticate: Negotiate[\r][\n]"
72 DEBUG 00:10.59 << "Connection: close[\r][\n]"
73 DEBUG 00:10.59 << "Proxy-Connection: close[\r][\n]"
74 DEBUG 00:10.59 << "Pragma: no-cache[\r][\n]"
75 DEBUG 00:10.59 << "Cache-Control: no-cache[\r][\n]"
76 DEBUG 00:10.59 << "Content-Type: text/html[\r][\n]"
77 DEBUG 00:10.59 << "Content-Length: 2367[\r][\n]"
78 DEBUG 00:10.60 CONNECT status code 407
79 DEBUG 00:10.60 Supported authentication schemes in the order of
preference: [ntlm, digest, basic]
80 INFO 00:10.60 ntlm authentication scheme selected
81 DEBUG 00:10.60 Using authentication scheme: ntlm
82 DEBUG 00:10.60 Authorization challenge processed
83 DEBUG 00:10.60 Proxy authentication scope: NTLM <any
realm>@hostname.domain.com:8080
84 DEBUG 00:10.60 Proxy credentials required
85 DEBUG 00:10.62 HttpClientNonProxyAuthenticator: no persisted
credentials stored for scheme=NTLM realm= host=hostname.domain.com
port=8080 proxy=true
86 DEBUG 00:22.30 NTLM <any realm>@hostname.domain.com:8080 new
credentials given
87 DEBUG 00:22.30 Should close connection in response to directive:
close
88 DEBUG 00:22.32 Open connection to hostname.domain.com:8080
89 DEBUG 00:22.32 Preemptively sending default basic credentials
90 DEBUG 00:22.32 Releasing connection back to connection manager.
91 DEBUG 00:22.32 Freeing connection, hostConfig=HostConfiguration
[host=https://www.ibm.com, proxyHost=http://hostname.domain.com:8080]
92 DEBUG 00:22.32 Adding connection at: 1223322786123
93 DEBUG 00:22.32 Notifying no-one, there are no waiting threads
...
97 ERROR 00:22.32 Unexpected exception
<exception> java.lang.IllegalStateException: Authentication state already
initialized
<stack>org.apache.commons.httpclient.auth.AuthState.setPreemptive
(AuthState.java:119)</stack>
<stack>org.apache.commons.httpclient.HttpMethodDirector.executeConnect
(HttpMethodDirector.java:486)</stack>
<stack>org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
(HttpMethodDirector.java:390)</stack>
<stack>org.apache.commons.httpclient.HttpMethodDirector.executeMethod
(HttpMethodDirector.java:170)</stack>
<stack>org.apache.commons.httpclient.HttpClient.executeMethod
(HttpClient.java:396)</stack>
<stack>org.apache.commons.httpclient.HttpClient.executeMethod
(HttpClient.java:324)</stack>
