I'm prototyping NTLM authentication with your 4.5 HTTP client and Spring RestTemplate. This currently fails with a org.apache.http.impl.auth.NTLMEngineException "NTLM authentication error: NTLM authentication - buffer too small for data item". The wire log is at the very end of this message. Unfortunately I wasn't able to get to cause of this yet. Hints appreciated.
Just below the code is a simple standalone example for anybody to
verify, it goes against a public NTLM host.
RestTemplate restTemplate = new RestTemplate();
restTemplate.setRequestFactory(buildHttpComponentsClientHttpRequestFactory(args));
private static HttpComponentsClientHttpRequestFactory
buildHttpComponentsClientHttpRequestFactory(String[] args) {
PoolingHttpClientConnectionManager cm = new
PoolingHttpClientConnectionManager();
cm.setMaxTotal(128);
cm.setDefaultMaxPerRoute(24);
RequestConfig.Builder requestBuilder =
RequestConfig.custom().setConnectTimeout(5000).setSocketTimeout(10000);
Registry<AuthSchemeProvider> authSchemeRegistry =
RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.NTLM, new NTLMSchemeFactory())
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new
NTCredentials(args[1], args[2], null, args[3]));
HttpClientBuilder builder = HttpClientBuilder.create()
.setConnectionManager(cm)
.setDefaultRequestConfig(requestBuilder.build())
.setDefaultAuthSchemeRegistry(authSchemeRegistry)
.setDefaultCredentialsProvider(credentialsProvider);
return new HttpComponentsClientHttpRequestFactory(builder.build());
}
[Testing]
- download https://frightanic.com/misc/msr-ntlm-prototype.zip (26.7KB)
- unzip
- $ mvn package
- $ java -jar target/ntlm-prototype-1.0-SNAPSHOT.jar
https://ntlm.herokuapp.com user pass domain
[Log]
23:06:46,962 | RestTemplate | Created GET request
for "https://ntlm.herokuapp.com";
23:06:46,966 | RestTemplate | Setting request
Accept header to [text/plain, */*]
23:06:46,995 | RequestAddCookies | CookieSpec
selected: default
23:06:47,008 | RequestAuthCache | Auth cache not set
in the context
23:06:47,009 | PoolingHttpClientConnectionManager | Connection request:
[route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route
allocated: 0 of 24; total allocated: 0 of 128]
23:06:47,027 | PoolingHttpClientConnectionManager | Connection leased:
[id: 0][route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0;
route allocated: 1 of 24; total allocated: 1 of 128]
23:06:47,029 | MainClientExec | Opening connection
{s}->https://ntlm.herokuapp.com:443
23:06:47,182 | DefaultHttpClientConnectionOperator | Connecting to
ntlm.herokuapp.com/23.23.92.140:443
23:06:47,183 | SSLConnectionSocketFactory | Connecting socket
to ntlm.herokuapp.com/23.23.92.140:443 with timeout 5000
23:06:47,438 | SSLConnectionSocketFactory | Enabled protocols:
[TLSv1, TLSv1.1, TLSv1.2]
23:06:47,438 | SSLConnectionSocketFactory | Enabled cipher
suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
23:06:47,438 | SSLConnectionSocketFactory | Starting handshake
23:06:47,677 | SSLConnectionSocketFactory | Secure session
established
23:06:47,677 | SSLConnectionSocketFactory | negotiated
protocol: TLSv1.2
23:06:47,677 | SSLConnectionSocketFactory | negotiated cipher
suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
23:06:47,677 | SSLConnectionSocketFactory | peer principal:
CN=*.herokuapp.com, O="Heroku, Inc.", L=San Francisco, ST=California, C=US
23:06:47,678 | SSLConnectionSocketFactory | peer alternative
names: [*.herokuapp.com, herokuapp.com]
23:06:47,678 | SSLConnectionSocketFactory | issuer principal:
CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
23:06:47,683 | DefaultHttpClientConnectionOperator | Connection
established 172.19.1.229:59368<->23.23.92.140:443
23:06:47,683 | DefaultManagedHttpClientConnection | http-outgoing-0:
set socket timeout to 10000
23:06:47,683 | MainClientExec | Executing request
GET / HTTP/1.1
23:06:47,683 | MainClientExec | Target auth state:
UNCHALLENGED
23:06:47,684 | MainClientExec | Proxy auth state:
UNCHALLENGED
23:06:47,685 | headers | http-outgoing-0 >>
GET / HTTP/1.1
23:06:47,685 | headers | http-outgoing-0 >>
Accept: text/plain, */*
23:06:47,685 | headers | http-outgoing-0 >>
Host: ntlm.herokuapp.com
23:06:47,685 | headers | http-outgoing-0 >>
Connection: Keep-Alive
23:06:47,686 | headers | http-outgoing-0 >>
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:06:47,686 | headers | http-outgoing-0 >>
Accept-Encoding: gzip,deflate
23:06:47,686 | wire | http-outgoing-0 >>
"GET / HTTP/1.1[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"Accept: text/plain, */*[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"Host: ntlm.herokuapp.com[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"Connection: Keep-Alive[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"Accept-Encoding: gzip,deflate[\r][\n]"
23:06:47,686 | wire | http-outgoing-0 >>
"[\r][\n]"
23:06:47,815 | wire | http-outgoing-0 <<
"HTTP/1.1 401 Unauthorized [\r][\n]"
23:06:47,816 | wire | http-outgoing-0 <<
"Connection: keep-alive[\r][\n]"
23:06:47,816 | wire | http-outgoing-0 <<
"Www-Authenticate: NTLM[\r][\n]"
23:06:47,816 | wire | http-outgoing-0 <<
"Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:06:47,817 | wire | http-outgoing-0 <<
"Date: Tue, 14 Nov 2017 22:06:28 GMT[\r][\n]"
23:06:47,817 | wire | http-outgoing-0 <<
"Content-Length: 0[\r][\n]"
23:06:47,817 | wire | http-outgoing-0 <<
"Via: 1.1 vegur[\r][\n]"
23:06:47,817 | wire | http-outgoing-0 <<
"[\r][\n]"
23:06:47,822 | headers | http-outgoing-0 <<
HTTP/1.1 401 Unauthorized
23:06:47,822 | headers | http-outgoing-0 <<
Connection: keep-alive
23:06:47,822 | headers | http-outgoing-0 <<
Www-Authenticate: NTLM
23:06:47,822 | headers | http-outgoing-0 <<
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:06:47,822 | headers | http-outgoing-0 <<
Date: Tue, 14 Nov 2017 22:06:28 GMT
23:06:47,822 | headers | http-outgoing-0 <<
Content-Length: 0
23:06:47,822 | headers | http-outgoing-0 <<
Via: 1.1 vegur
23:06:47,828 | MainClientExec | Connection can be
kept alive indefinitely
23:06:47,828 | HttpAuthenticator | Authentication required
23:06:47,828 | HttpAuthenticator |
ntlm.herokuapp.com:443 requested authentication
23:06:47,828 | TargetAuthenticationStrategy | Authentication
schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest,
Basic]
23:06:47,828 | TargetAuthenticationStrategy | Challenge for
Negotiate authentication scheme not available
23:06:47,830 | TargetAuthenticationStrategy | Challenge for
Kerberos authentication scheme not available
23:06:47,857 | TargetAuthenticationStrategy | Challenge for
Digest authentication scheme not available
23:06:47,857 | TargetAuthenticationStrategy | Challenge for Basic
authentication scheme not available
23:06:47,857 | HttpAuthenticator | Selected
authentication options: [NTLM]
23:06:47,858 | DefaultManagedHttpClientConnection | http-outgoing-0:
set socket timeout to 10000
23:06:47,858 | MainClientExec | Executing request
GET / HTTP/1.1
23:06:47,858 | MainClientExec | Target auth state:
CHALLENGED
23:06:47,858 | HttpAuthenticator | Generating response
to an authentication challenge using ntlm scheme
23:06:47,859 | MainClientExec | Proxy auth state:
UNCHALLENGED
23:06:47,859 | headers | http-outgoing-0 >>
GET / HTTP/1.1
23:06:47,859 | headers | http-outgoing-0 >>
Accept: text/plain, */*
23:06:47,859 | headers | http-outgoing-0 >>
Host: ntlm.herokuapp.com
23:06:47,859 | headers | http-outgoing-0 >>
Connection: Keep-Alive
23:06:47,859 | headers | http-outgoing-0 >>
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:06:47,859 | headers | http-outgoing-0 >>
Accept-Encoding: gzip,deflate
23:06:47,859 | headers | http-outgoing-0 >>
Authorization: NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==
23:06:47,859 | wire | http-outgoing-0 >>
"GET / HTTP/1.1[\r][\n]"
23:06:47,859 | wire | http-outgoing-0 >>
"Accept: text/plain, */*[\r][\n]"
23:06:47,859 | wire | http-outgoing-0 >>
"Host: ntlm.herokuapp.com[\r][\n]"
23:06:47,859 | wire | http-outgoing-0 >>
"Connection: Keep-Alive[\r][\n]"
23:06:47,859 | wire | http-outgoing-0 >>
"User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:06:47,859 | wire | http-outgoing-0 >>
"Accept-Encoding: gzip,deflate[\r][\n]"
23:06:47,860 | wire | http-outgoing-0 >>
"Authorization: NTLM
TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"
23:06:47,860 | wire | http-outgoing-0 >>
"[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"HTTP/1.1 401 Unauthorized [\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Connection: keep-alive[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Www-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Date: Tue, 14 Nov 2017 22:06:28 GMT[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Content-Length: 0[\r][\n]"
23:06:47,969 | wire | http-outgoing-0 <<
"Via: 1.1 vegur[\r][\n]"
23:06:47,970 | wire | http-outgoing-0 <<
"[\r][\n]"
23:06:47,970 | headers | http-outgoing-0 <<
HTTP/1.1 401 Unauthorized
23:06:47,970 | headers | http-outgoing-0 <<
Connection: keep-alive
23:06:47,970 | headers | http-outgoing-0 <<
Www-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=
23:06:47,970 | headers | http-outgoing-0 <<
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:06:47,971 | headers | http-outgoing-0 <<
Date: Tue, 14 Nov 2017 22:06:28 GMT
23:06:47,971 | headers | http-outgoing-0 <<
Content-Length: 0
23:06:47,971 | headers | http-outgoing-0 <<
Via: 1.1 vegur
23:06:47,972 | MainClientExec | Connection can be
kept alive indefinitely
23:06:47,973 | HttpAuthenticator | Authentication required
23:06:47,973 | HttpAuthenticator |
ntlm.herokuapp.com:443 requested authentication
23:06:47,973 | HttpAuthenticator | Authorization
challenge processed
23:06:47,974 | DefaultManagedHttpClientConnection | http-outgoing-0:
set socket timeout to 10000
23:06:47,974 | MainClientExec | Executing request
GET / HTTP/1.1
23:06:47,974 | MainClientExec | Target auth state:
HANDSHAKE
23:07:34,996 | HttpAuthenticator | NTLM authentication
error: NTLM authentication - buffer too small for data item
23:07:34,996 | MainClientExec | Proxy auth state:
UNCHALLENGED
23:07:34,997 | headers | http-outgoing-0 >>
GET / HTTP/1.1
23:07:34,997 | headers | http-outgoing-0 >>
Accept: text/plain, */*
23:07:34,997 | headers | http-outgoing-0 >>
Host: ntlm.herokuapp.com
23:07:34,997 | headers | http-outgoing-0 >>
Connection: Keep-Alive
23:07:34,997 | headers | http-outgoing-0 >>
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:07:34,997 | headers | http-outgoing-0 >>
Accept-Encoding: gzip,deflate
23:07:34,997 | wire | http-outgoing-0 >>
"GET / HTTP/1.1[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"Accept: text/plain, */*[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"Host: ntlm.herokuapp.com[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"Connection: Keep-Alive[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"Accept-Encoding: gzip,deflate[\r][\n]"
23:07:34,997 | wire | http-outgoing-0 >>
"[\r][\n]"
23:07:35,118 | wire | http-outgoing-0 <<
"HTTP/1.1 401 Unauthorized [\r][\n]"
23:07:35,118 | wire | http-outgoing-0 <<
"Connection: keep-alive[\r][\n]"
23:07:35,118 | wire | http-outgoing-0 <<
"Www-Authenticate: NTLM[\r][\n]"
23:07:35,119 | wire | http-outgoing-0 <<
"Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:07:35,119 | wire | http-outgoing-0 <<
"Date: Tue, 14 Nov 2017 22:07:15 GMT[\r][\n]"
23:07:35,119 | wire | http-outgoing-0 <<
"Content-Length: 0[\r][\n]"
23:07:35,119 | wire | http-outgoing-0 <<
"Via: 1.1 vegur[\r][\n]"
23:07:35,119 | wire | http-outgoing-0 <<
"[\r][\n]"
23:07:35,119 | headers | http-outgoing-0 <<
HTTP/1.1 401 Unauthorized
23:07:35,119 | headers | http-outgoing-0 <<
Connection: keep-alive
23:07:35,120 | headers | http-outgoing-0 <<
Www-Authenticate: NTLM
23:07:35,120 | headers | http-outgoing-0 <<
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:07:35,120 | headers | http-outgoing-0 <<
Date: Tue, 14 Nov 2017 22:07:15 GMT
23:07:35,120 | headers | http-outgoing-0 <<
Content-Length: 0
23:07:35,120 | headers | http-outgoing-0 <<
Via: 1.1 vegur
23:07:35,121 | MainClientExec | Connection can be
kept alive indefinitely
23:07:35,121 | HttpAuthenticator | Authentication required
23:07:35,121 | HttpAuthenticator |
ntlm.herokuapp.com:443 requested authentication
23:07:35,121 | HttpAuthenticator | Authorization
challenge processed
23:07:35,122 | HttpAuthenticator | Authentication failed
23:07:35,122 | PoolingHttpClientConnectionManager | Connection [id:
0][route: {s}->https://ntlm.herokuapp.com:443] can be kept alive
indefinitely
23:07:35,123 | PoolingHttpClientConnectionManager | Connection
released: [id: 0][route: {s}->https://ntlm.herokuapp.com:443][total kept
alive: 1; route allocated: 1 of 24; total allocated: 1 of 128]
23:07:35,135 | RestTemplate | GET request for
"https://ntlm.herokuapp.com"; resulted in 401 (Unauthorized); invoking
error handler
23:07:35,143 | NtlmPrototype | Request failed
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
at
org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at
org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at
org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at
org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at NtlmPrototype.issueGetRequest(NtlmPrototype.java:50) [classes/:?]
at NtlmPrototype.main(NtlmPrototype.java:32) [classes/:?]
--
Marcel Stör, https://frightanic.com
My PGP key: https://frightanic.com/pgp/
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - http://j.mp/1OThh9L
signature.asc
Description: OpenPGP digital signature
