Hi all,
Any idea ?...
Cordialement,
Pierre Muller
Le 29/06/2011 14:17, Muller Pierre a écrit :
Thanks Martin.
Actually I had a look at the HTTPClient trace : there was this warning
"Credential charset not configured, using HTTP element charset".
Thus I tried your conf directive and other directives too :
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CHAR_SET_ENCODING,
new String("utf-16"));
stub._getServiceClient().getOptions().setProperty("CHARACTER_SET_ENCODING", new
String("utf-16"));
DefaultHttpParams.getDefaultParams().setParameter("http.protocol.credential-charset",
new String("utf-16"));
Only the last one makes the warning disappear, which is good.
But I tried several charsets (utf-16,utf-8,iso-8859-1,cp1252), with and without
U+00E9 ("myPasswordWithLetter_é" or "myPasswordWithLetter_\u00e9") : no
success, I always get the same 401.1 error !!
Cordialement,
Pierre Muller
Le 28/06/2011 17:15, Martin Gainty a écrit :
options.setProperty("CHARACTER_SET_ENCODING",new String("UTF-16");
when configuring the text part instead of typing displayable ASCII character é
try
U+00E9
http://en.wikipedia.org/wiki/ASCII#Unicode
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und
Vertraulichkeitanmerkung/Note de déni et de confidentialité
Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése
nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi
alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen
megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet
tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
________________________________
From: [email protected]<mailto:[email protected]>
To: [email protected]<mailto:[email protected]>
Date: Tue, 28 Jun 2011 06:21:40 -0700
Subject: Re: AW: NTLM authentication failed (password with non-latin characters)
Thanks for the answer.
Actually I don't know how axis2 manages its stored-hashed. I can't say what
happens to the "é" because I pass the password to
HttpTransportProperties.Authenticator and I see it again in TCPMonitor as a
NTLM hashed string, in which I can't say how "é" has been used.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings
or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string?
I pass the password-string to HttpTransportProperties.Authenticator , I don't
use any other tool. The password-string is a standard Java String object, which
means (in my understanding of the
javadoc<http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html>
) represented in UTF-16 and which libraries like axis2 should probably handle
to take care of encoding issues.
Authenticating in a browser with the "é" works correctly (while accessing the
WSDL). Authenticating in Outlook also works correctly with this password. The
401 error only occurs with the axis2 client application...
Any idea ?
Cordialement,
Pierre Muller
Le 27/06/2011 17:36, Stadelmann Josef a écrit :
Somewhere there is a password data base which has stored password-hashes or the
like.
Lets refer to it as stored-hashes.
If the way hashes are generated from passwords, then transferred, then stored
by some tool differs from the way hashes are generated, transferred and used
toward the hasher by axis2 e all,
in example by passing in one or the other direction a Iso-Latin-to-UTF-8
converter in the later case,
then the chance is real great that we will never reach a match on the hashes.
So what happens to the "é" in sequence? How is it sent from client to server,
as UTF-8 or as ISO-LATIN-1? TCP Monitor on a non-hashed transfer can tell you
that.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings
or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string?
As the password generator is potentially a Microsoft one, I would suggest the
"hasher" receives a double-byte-encoded-UNICODE-strings for an "é"
BUT
The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string"
for a single "é" and without converting this 2 bytes to UNICODE prior to
passing it to the hasher the hasher will generate something different then what
is stored in the password-database and the match fails and results in
UNAUTHENTICATED.
Josef
Von: Muller Pierre [mailto:[email protected]]
Gesendet: Montag, 27. Juni 2011 15:03
An: [email protected]<mailto:[email protected]>
Betreff: NTLM authentication failed (password with non-latin characters)
Hello,
I'm working on a web application consuming web services with Axis2. Client
classes are generated from a WSDL file with the XMLBeans method.
The web services require NTLM authentication, which I set up in my application.
Everything's fine, the application works as expected (able to authenticate,
able to use services). Except in one case : when the NTLM password contains
accents, e.g. "myPasswordWithLetter_é". Does someone know about this, is this a
filed bug for Axis2 (I couldn't find anythind on it so far) ? Are there any
solutions to bypass it ?
Thanks
Pierre
More detailed information :
1. The services requested are Exchange Web Service ones. Again, it's working
fine for passwords without accents.
2. My authentication code is :
URL endpoint = new URL(...);
HttpTransportProperties.Authenticator authenticator = new
HttpTransportProperties.Authenticator();
authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM));
authenticator.setUsername("user");
authenticator.setPassword("myPasswordWithLetter_é");
authenticator.setHost(endpoint.getHost());
authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort()
: endpoint.getProtocol().equalsIgnoreCase("https")? 443 :
80);
authenticator.setDomain(conf.getAgendaHttpAuthDomain());
stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE,
authenticator);
3. The password is showing healthy in Java, no encoding problem.
4. TCPMonitor shows similar behaviours with or without accents in the password
: 3 POST requests, only the last differing between the expected SOAP response
or the "HTTP 401.1 Unauthorized" seen below :
Application request
Server response
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Host: vm-iodasxch:8989
Transfer-Encoding: chunked
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .
HTTP/1.1 401 Unauthorized
Content-Length: 1897
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE
hPU1RJT0RBU1hDSA==
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope ..
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA
AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY
ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw
AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB
jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg
BpAC4AcAByAGkAdgBhAHQAZQAAAAAA
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction:
"http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA
BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU
1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I=
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
--
Cordialement,
Pierre Muller
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse des parties. Si vous recevez ce message par erreur, merci de le
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI
Informatique décline toute responsabilité au titre de ce message s'il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited without prior written consent. If you
have received this email in error, please delete it without saving a copy and
notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have
been made to this email after it was sent. While we take all reasonable
precautions to ensure that viruses are not transmitted via emails, we recommend
that you take your own measures to prevent viruses from entering your computer
system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse des parties. Si vous recevez ce message par erreur, merci de le
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI
Informatique décline toute responsabilité au titre de ce message s'il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited without prior written consent. If you
have received this email in error, please delete it without saving a copy and
notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have
been made to this email after it was sent. While we take all reasonable
precautions to ensure that viruses are not transmitted via emails, we recommend
that you take your own measures to prevent viruses from entering your computer
system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse des parties. Si vous recevez ce message par erreur, merci de le
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI
Informatique décline toute responsabilité au titre de ce message s'il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited without prior written consent. If you
have received this email in error, please delete it without saving a copy and
notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have
been made to this email after it was sent. While we take all reasonable
precautions to ensure that viruses are not transmitted via emails, we recommend
that you take your own measures to prevent viruses from entering your computer
system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont
confidentiels et établis à l'intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse des parties. Si vous recevez ce message par erreur, merci de le
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI
Informatique décline toute responsabilité au titre de ce message s'il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and
intended only for the recipient(s) indicated. If you are not an intended
recipient, please be advised that any use, dissemination, forwarding or copying
of this email whatsoever is prohibited without prior written consent. If you
have received this email in error, please delete it without saving a copy and
notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have
been made to this email after it was sent. While we take all reasonable
precautions to ensure that viruses are not transmitted via emails, we recommend
that you take your own measures to prevent viruses from entering your computer
system.
