407 error with NTLM proxy

Matt Russell Fri, 28 Mar 2014 11:02:17 -0700

Hi,

I'm hoping someone can help me diagnose an intermittent "407 Proxy
Authentication Required" error when using HttpClient through an NTLM proxy.


I've found that I always get a 407 responses, unless I first go and fetch
any web page in a browser. After I load a page, I get "200 OK" responses
for 30 seconds via HttpClient, after which it reverts to 407s.

(My guess is that this is because HttpClient is handing off the
authentication to the OS, as is the web browser, and the browser request
causes an authentication token to be cached for a while, which lets
HttpClient work until it expires.)

I'm using HttpClient 4.2.3 on Windows XP, proxy is squid/2.7.STABLE4. I've
tried both with and without a JCIFS NTLM engine, but it seems to make no
difference. Java code and logs below.

Any help would be much appreciated,

Cheers,

-- Matt


Code
====

import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
import java.util.Date;

import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthSchemeFactory;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.NTCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.impl.auth.NTLMScheme;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.HttpParams;

public class HttpTest {

private static final String PROXY_HOST = "webproxy";
private static final int PROXY_PORT = 8080;
private static final String USERNAME = "USERNAME";
private static final String PASSWORD = "PASSWORD";
private static final String DOMAIN = "DOMAIN";
private static final String TEST_URL = "http://www.example.com";;

public static void main(String[] args) throws Exception {
    DefaultHttpClient httpClient = httpClient();
    HttpGet get = new HttpGet(new URI(TEST_URL));
    HttpResponse response = httpClient.execute(get);
    StatusLine statusLine = response.getStatusLine();
    System.out.println(statusLine);
}

private static DefaultHttpClient httpClient() {
DefaultHttpClient httpClient = new DefaultHttpClient();
httpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, new
HttpHost(PROXY_HOST, PROXY_PORT));
configureNTLMCredentials(httpClient);
return httpClient;
}

private static void configureNTLMCredentials(DefaultHttpClient httpClient) {
httpClient.getAuthSchemes().register("ntlm", new AuthSchemeFactory() {
public AuthScheme newInstance(HttpParams _) {
return new NTLMScheme(new JCIFSEngine());
}
});
NTCredentials credentials = new NTCredentials(USERNAME, PASSWORD,
hostName(), DOMAIN);
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, credentials);
httpClient.getCredentialsProvider().setCredentials(AuthScope.ANY,
credentials);
}

private static String hostName() {
try {
return InetAddress.getLocalHost().getHostName();
} catch (UnknownHostException e) {
throw new RuntimeException(e);
}
}
}


Log for a 407
=============

2014/03/28 14:49:40:652 GMT [DEBUG] BasicClientConnectionManager - Get
connection for route {tls}->http://webproxy:8080->https://example.com
2014/03/28 14:49:40:668 GMT [DEBUG] DefaultClientConnectionOperator -
Connecting to webproxy:8080
2014/03/28 14:49:40:699 GMT [DEBUG] RequestAuthCache - Auth cache not set
in the context
2014/03/28 14:49:40:699 GMT [DEBUG] RequestProxyAuthentication - Proxy auth
state: UNCHALLENGED
2014/03/28 14:49:40:699 GMT [DEBUG] DefaultClientConnection - Sending
request: CONNECT example.com:443 HTTP/1.1
2014/03/28 14:49:40:699 GMT [DEBUG] headers - >> CONNECT example.com:443HTTP/1.1
2014/03/28 14:49:40:699 GMT [DEBUG] headers - >> Host: example.com
2014/03/28 14:49:40:699 GMT [DEBUG] headers - >> Proxy-Connection:
Keep-Alive
2014/03/28 14:49:40:699 GMT [DEBUG] headers - >> User-Agent:
Apache-HttpClient/4.2.3 (java 1.5)
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.0 407 Proxy Authentication Required
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << HTTP/1.0 407 Proxy
Authentication Required
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Server: squid/2.7.STABLE4
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Date: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Content-Type: text/html
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Content-Length: 1370
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Expires: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << X-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Proxy-Authenticate: NTLM
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << X-Cache: MISS from
ClientSiteProxy
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << X-Cache-Lookup: NONE from
ClientSiteProxy:8080
2014/03/28 14:49:40:715 GMT [DEBUG] headers - << Connection: close
2014/03/28 14:49:40:715 GMT [DEBUG] ResponseProcessCookies - Cookie spec
not specified in HTTP context
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultHttpClient - Authentication
required
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultHttpClient - webproxy:8080
requested authentication
2014/03/28 14:49:40:715 GMT [DEBUG] ProxyAuthenticationStrategy -
Authentication schemes in the order of preference: [negotiate, Kerberos,
NTLM, Digest, Basic]
2014/03/28 14:49:40:715 GMT [DEBUG] ProxyAuthenticationStrategy - Challenge
for negotiate authentication scheme not available
2014/03/28 14:49:40:715 GMT [DEBUG] ProxyAuthenticationStrategy - Challenge
for Kerberos authentication scheme not available
2014/03/28 14:49:40:715 GMT [DEBUG] ProxyAuthenticationStrategy - Challenge
for Digest authentication scheme not available
2014/03/28 14:49:40:715 GMT [DEBUG] ProxyAuthenticationStrategy - Challenge
for Basic authentication scheme not available
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultHttpClient - Selected
authentication options: [NTLM]
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultClientConnection - Connection
0.0.0.0:12165<->192.168.115.74:8080 closed
2014/03/28 14:49:40:715 GMT [DEBUG] DefaultClientConnectionOperator -
Connecting to webproxy:8080
2014/03/28 14:49:40:730 GMT [DEBUG] RequestAuthCache - Auth cache not set
in the context
2014/03/28 14:49:40:730 GMT [DEBUG] RequestProxyAuthentication - Proxy auth
state: CHALLENGED
2014/03/28 14:49:40:730 GMT [DEBUG] RequestProxyAuthentication - Generating
response to an authentication challenge using ntlm scheme
2014/03/28 14:49:40:746 GMT [DEBUG] DefaultClientConnection - Sending
request: CONNECT example.com:443 HTTP/1.1
2014/03/28 14:49:40:746 GMT [DEBUG] headers - >> CONNECT example.com:443HTTP/1.1
2014/03/28 14:49:40:746 GMT [DEBUG] headers - >> Host: example.com
2014/03/28 14:49:40:746 GMT [DEBUG] headers - >> Proxy-Connection:
Keep-Alive
2014/03/28 14:49:40:746 GMT [DEBUG] headers - >> User-Agent:
Apache-HttpClient/4.2.3 (java 1.5)
2014/03/28 14:49:40:746 GMT [DEBUG] headers - >> Proxy-Authorization: NTLM
TlRMTVNTUAABAAAABbIIoAQABAAgAAAACgAKACQAAABIQ1VLTExIQzAwMTUzNw==
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.0 407 Proxy Authentication Required
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << HTTP/1.0 407 Proxy
Authentication Required
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Server: squid/2.7.STABLE4
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Date: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Content-Type: text/html
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Content-Length: 1370
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Expires: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << X-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADgAAAAFgomiTNnsnwdgPAYAAAAAAAAAAIYAhgBAAAAABgGxHQAAAA9IAEMAVQBLAAIACABIAEMAVQBLAAEAFABNAFYAVwBQAC0AQwBTAFAAMAAyAAQAEABoAGMAdQBrAC4AcAByAGkAAwAmAE0AVgBXAFAALQBDAFMAUAAwADIALgBoAGMAdQBrAC4AcAByAGkABQAQAGgAYwB1AGsALgBwAHIAaQAHAAgAZ7jx8pRKzwEAAAAA
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << X-Cache: MISS from
ClientSiteProxy
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << X-Cache-Lookup: NONE from
ClientSiteProxy:8080
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Connection: keep-alive
2014/03/28 14:49:40:762 GMT [DEBUG] headers - << Proxy-Connection:
keep-alive
2014/03/28 14:49:40:762 GMT [DEBUG] ResponseProcessCookies - Cookie spec
not specified in HTTP context
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultHttpClient - Authentication
required
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultHttpClient - webproxy:8080
requested authentication
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultHttpClient - Authorization
challenge processed
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultHttpClient - Connection kept
alive
2014/03/28 14:49:40:762 GMT [DEBUG] RequestAuthCache - Auth cache not set
in the context
2014/03/28 14:49:40:762 GMT [DEBUG] RequestProxyAuthentication - Proxy auth
state: HANDSHAKE
2014/03/28 14:49:40:762 GMT [DEBUG] DefaultClientConnection - Sending
request: CONNECT example.com:443 HTTP/1.1
2014/03/28 14:49:40:762 GMT [DEBUG] headers - >> CONNECT example.com:443HTTP/1.1
2014/03/28 14:49:40:762 GMT [DEBUG] headers - >> Host: example.com
2014/03/28 14:49:40:762 GMT [DEBUG] headers - >> Proxy-Connection:
Keep-Alive
2014/03/28 14:49:40:762 GMT [DEBUG] headers - >> User-Agent:
Apache-HttpClient/4.2.3 (java 1.5)
2014/03/28 14:49:40:762 GMT [DEBUG] headers - >> Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEAAAAC2ALYAWAAAAAgACAAOAQAADgAOABYBAAAUABQAJAEAAAAAAAAAAAAABYKIosEVy/XXkUTCvU/zAtCvraJ3GkkzjHU8oXJ47IiyvgJDJ8xXYky8wvsBAQAAAAAAAKAf4/KUSs8BwSwUOP6RDVcAAAAAAgAIAEgAQwBVAEsAAQAUAE0AVgBXAFAALQBDAFMAUAAwADIABAAQAGgAYwB1AGsALgBwAHIAaQADACYATQBWAFcAUAAtAEMAUwBQADAAMgAuAGgAYwB1AGsALgBwAHIAaQAFABAAaABjAHUAawAuAHAAcgBpAAcACABnuPHylErPAQAAAAAAAAAASABDAFUASwBqAGUAbgBrAGkAbgBzAEwATABIAEMAMAAwADEANQAzADcA
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.0 407 Proxy Authentication Required
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << HTTP/1.0 407 Proxy
Authentication Required
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Server: squid/2.7.STABLE4
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Date: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Content-Type: text/html
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Content-Length: 1370
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Expires: Fri, 28 Mar 2014
14:49:40 GMT
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << X-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Proxy-Authenticate: NTLM
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << X-Cache: MISS from
ClientSiteProxy
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << X-Cache-Lookup: NONE from
ClientSiteProxy:8080
2014/03/28 14:49:40:793 GMT [DEBUG] headers - << Connection: close
2014/03/28 14:49:40:793 GMT [DEBUG] ResponseProcessCookies - Cookie spec
not specified in HTTP context
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultHttpClient - Authentication
required
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultHttpClient - webproxy:8080
requested authentication
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultHttpClient - Authorization
challenge processed
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultHttpClient - Authentication
failed
2014/03/28 14:49:40:793 GMT [DEBUG] DefaultHttpClient - CONNECT refused by
proxy: HTTP/1.0 407 Proxy Authentication Required
2014/03/28 14:49:40:793 GMT [DEBUG] BasicClientConnectionManager -
Releasing connection
org.apache.http.impl.conn.ManagedClientConnectionImpl@1e893df
2014/03/28 14:49:40:793 GMT [DEBUG] BasicClientConnectionManager -
Connection can be kept alive for 9223372036854775807 MILLISECONDS

407 error with NTLM proxy

Reply via email to