options.setProperty("CHARACTER_SET_ENCODING",new String("UTF-16");
when configuring the text part instead of typing displayable ASCII character é
try
U+00E9
http://en.wikipedia.org/wiki/ASCII#Unicode
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und
Vertraulichkeitanmerkung/Note de déni et de confidentialité
Ez az
üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
From: [email protected]
To: [email protected]
Date: Tue, 28 Jun 2011 06:21:40 -0700
Subject: Re: AW: NTLM authentication failed (password with non-latin characters)
Thanks for the answer.
Actually I don't know how axis2 manages its stored-hashed. I can't say what
happens to the "é" because I pass the password to
HttpTransportProperties.Authenticator and I see it again in TCPMonitor as a
NTLM hashed string, in which I can't say how "é" has been
used.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings
or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded
-Unicode-string?
I pass the password-string to HttpTransportProperties.Authenticator , I don't
use any other tool. The password-string is a standard Java String object, which
means (in my understanding of
the javadoc ) represented in UTF-16 and which libraries like axis2 should
probably handle to take care of encoding issues.
Authenticating in a browser with the "é" works correctly (while accessing the
WSDL). Authenticating in Outlook also works correctly with this password. The
401 error only occurs with the axis2 client application...
Any idea ?
Cordialement,
Pierre Muller
Le 27/06/2011 17:36, Stadelmann Josef a écrit :
Somewhere there is a password data base which has stored password-hashes or the
like.
Lets refer to it as stored-hashes.
If the way hashes are generated from passwords, then transferred, then stored
by some tool differs from
the way hashes are generated, transferred and used toward the hasher by axis2
e all,
in example by passing in one or the other direction a Iso-Latin-to-UTF-8
converter in the later case,
then the chance is real great that we will never reach a match on the hashes.
So what happens to the "é" in sequence? How is it sent from client to server,
as UTF-8 or as ISO-LATIN-1?
TCP Monitor on a non-hashed transfer can tell you that.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings
or 2. A ISO-LATIN-encode-strings
or 3. A double-byte-encoded -Unicode-string?
As the password generator is potentially a Microsoft one, I would suggest the
"hasher" receives a double-byte-encoded-UNICODE-strings
for an "é"
BUT
The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string"
for a single "é" and without
converting this 2 bytes to UNICODE prior to passing it to the hasher the
hasher will generate something different then what is stored in the
password-database and the match fails and results in UNAUTHENTICATED.
Josef
Von:
Muller Pierre [mailto:[email protected]]
Gesendet: Montag, 27. Juni 2011 15:03
An:
[email protected]
Betreff: NTLM authentication failed (password with non-latin characters)
Hello,
I'm working on a web application consuming web services with Axis2. Client
classes are generated from a WSDL file with the XMLBeans method.
The web services require NTLM authentication, which I set up in my application.
Everything's fine, the application works as expected (able to authenticate,
able to use services). Except in one case : when the NTLM password contains
accents, e.g. "myPasswordWithLetter_é". Does someone know about this, is this a
filed bug for Axis2 (I couldn't
find anythind on it so far) ? Are there any solutions to bypass it ?
Thanks
Pierre
More detailed information :
1. The services requested are Exchange Web Service ones. Again, it's working
fine for passwords without accents.
2. My authentication code is :
URL endpoint = new URL(...);
HttpTransportProperties.Authenticator authenticator = new
HttpTransportProperties.Authenticator();
authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM));
authenticator.setUsername("user");
authenticator.setPassword("myPasswordWithLetter_é");
authenticator.setHost(endpoint.getHost());
authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort()
: endpoint.getProtocol().equalsIgnoreCase("https")? 443 :
80);
authenticator.setDomain(conf.getAgendaHttpAuthDomain());
stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE,
authenticator);
3. The password is showing healthy in Java, no encoding problem.
4. TCPMonitor shows similar behaviours with or without accents in the password
: 3 POST requests, only the last differing between the expected SOAP response
or the "HTTP 401.1 Unauthorized" seen below :
Application request
Server response
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";
User-Agent: Axis2
Host: vm-iodasxch:8989
Transfer-Encoding: chunked
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope ..
HTTP/1.1 401 Unauthorized
Content-Length: 1897
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE
hPU1RJT0RBU1hDSA==
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope ..
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA
AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY
ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw
AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB
jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg
BpAC4AcAByAGkAdgBhAHQAZQAAAAAA
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA
BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU
1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I=
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope ..
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
--
Cordialement,
Pierre Muller
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce
message non conforme à sa destination, toute diffusion ou toute publication,
totale ou partielle, est interdite, sauf autorisation expresse des parties. Si
vous recevez ce message par erreur, merci de le détruire sans en conserver de
copie et d'en avertir
immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité
de ce message, le groupe GFI Informatique décline toute responsabilité au titre
de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et
malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited
without prior written consent. If you have received this email in error,
please delete it without saving a copy and notify the sender immediately.
Internet emails are not necessarily secured, and GFI Informatique Group
declines responsibility for any changes
that may have been made to this email after it was sent. While we take all
reasonable precautions to ensure that viruses are not transmitted via emails,
we recommend that you take your own measures to prevent viruses from entering
your computer system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion
ou toute publication, totale ou partielle, est interdite, sauf autorisation
expresse des parties. Si vous recevez ce message par erreur, merci de le
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas
de garantir l'intégrité de ce message, le groupe GFI Informatique décline
toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé
ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter
la présence de virus dans
nos envois, nous vous recommandons de prendre, de votre côté, les mesures
permettant d'assurer la non-introduction de virus dans votre système
informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited
without prior written consent. If you have received this email in error,
please delete it without saving a copy and notify the sender immediately.
Internet emails are not necessarily secured, and GFI Informatique Group
declines responsibility for any changes
that may have been made to this email after it was sent. While we take all
reasonable precautions to ensure that viruses are not transmitted via emails,
we recommend that you take your own measures to prevent viruses from entering
your computer system.
