Dear HttpClient Support List,
I found out that when trying to make NTLM Authentication using
httpclient-win-4.5.6.jar library it relies on CurrentWindowsCredentials instead
of using credentials provided in WindowsCredentialsProvider which it seems to
be incorrect for the case when web-container (Tomcat in my case) is running as
a service under another "Local System" user on Windows machine. It retrieves
incorrect username which is not authorized to pass NTLM authentication and gets
401 Unauthorized Error. Besides, if web container (Tomcat in my case) is
running inside Docker Linux Container it does not work at all because the user
specified inside Docker Container is completely different from the Windows one.
I suppose that in WindowsNegotiateScheme.authenticate() method the below
implementation should not rely on CurrentWindowsCredentials and throw Exception
but have to use the Credentials specified in WindowsCredentialsProvider.
if (clientCred == null) {
// ?? We don't use the credentials, should we allow anything?
if (!(credentials instanceof CurrentWindowsCredentials)) {
throw new InvalidCredentialsException(
"Credentials cannot be used for " + getSchemeName() + "
authentication: "
+ credentials.getClass().getName());
}
Also WindowsCredentialsProvider should not use instance of
CurrentWindowsCredentials in case of AuthSchemes.NTLM but use
provider.getCredentials(authscope) one:
public Credentials getCredentials(final AuthScope authscope) {
final String scheme = authscope.getScheme();
if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) ||
AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) {
return CurrentWindowsCredentials.INSTANCE;
} else {
return provider.getCredentials(authscope);
}
}
Besides, if user provides the credentials of another user which is different
from the user logged in to Windows system, httpclient-win API should not try to
get information about currently logged user via CurrentWindowsCredentials class
but has to use those credentials provided in WindowsCredentialsProvider if
there are provided. If the credentials are not provided, then probably makes
sense to get user using CurrentWindowsCredentials.
Here is the code snippet how NTLM authentication was used in my case via
httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries:
HttpClientBuilder clientbuilder = HttpClients.custom();
Registry<AuthSchemeProvider> authSchemeRegistry =
RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null))
.build();
CredentialsProvider windowsCredentialsProvider = new
WindowsCredentialsProvider(new SystemDefaultCredentialsProvider());
windowsCredentialsProvider.setCredentials(AuthScope.ANY, new
NTCredentials("username, "password", "workstation", "domain"));
clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvider);
clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
RequestConfig.Builder requestBuilder = RequestConfig.custom();
requestBuilder = requestBuilder.setConnectTimeout(connectionTimeout);
requestBuilder = requestBuilder.setConnectionRequestTimeout(connectionTimeout);
clientbuilder.setDefaultRequestConfig(requestBuilder.build());
client = clientbuilder.build();
HttpGet get = new HttpGet("http://test.url/ntlm";);
CloseableHttpResponse response = client.execute(get);
Could you please advise a workaround for the issue and make the corresponding
fix if you consider my description as an issue?
Best regards,
www.jedox.com
Kirill Rajbhandary
Senior Software Engineer
+49 761 15147 237
Jedox AG
Bismarckallee 7a
79098Freiburg im Breisgau
Germany
Executive Board: Florian Winterstein (Chairman), Bernd Eisenblätter, Maximilian
Prinz zu Hohenlohe-Waldenburg
Supervisory Board: Bernhard Wöbker (Chairman), Curt Gunsenheimer, Thilo Schmid
Place of Business: Amtsgericht Freiburg HRB 702118
[TM.V06112018]
