Hi net-devs,
I hope you do not mind that I post to this list, but I hope I can provide
enough in-depth information about the problem to justify the post here.
Accessing a "normal" ntlm protected resource - a simple index.html in an
protected directory on an IIS 7.5 server - the ntlm authentication works fine.
However, trying to access the Microsoft Exchange 2010 webservice failes with
"401 Unauthorized".
I used this few lines to debug the connection/authentication process
URL url = new URL("https://exchange/ews/Services.wsdl";);
byte[] buf = new byte[10240];
int read = url.openStream().read(buf);
System.err.println(new String(buf, 0, read));
This snipped works fine in java 1.6, but failes with an IOException (http
status 401) in java 1.7.
I found an interesting difference when accessing the "normal" web-page and the
exchange webservice.
When accessing the web-page, the server answers "WWW-Authenticate: Negotiate"
just after the first 401 response which triggers the authentication process
then. In contrast, when accessing the Exchange webservice the
"WWW-Authenticate: Negotiate" is sent during the negotiation process too, which
then triggers the inNegotiate flag in
sun.net.www.protocol.http.HttpURLConnection in getInputStream and let the
negotiation process fail.
If I hack the response values and change any subsequent Negotiate to e.g.
NegotiateXX, then the inNegotiate flag will not change and the authentication
process will finish and authentication finally works.
Here is the request/response cycle which fail then:
#1: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent: Java/1.7.0_02-ea}{Host:
exchange }{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*;
q=.2}{Connection: keep-alive}
#2: {null: HTTP/1.1 401 Unauthorized}{Server:
Microsoft-IIS/7.5}{WWW-Authenticate: Negotiate}{WWW-Authenticate:
NTLM}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39
GMT}{Content-Length: 0}
#3: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent: Java/1.7.0_02-ea}{Host:
exchange }{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*;
q=.2}{Connection: keep-alive}{Authorization: NTLM MY_NTLM_DATA}
#4: {null: HTTP/1.1 401 Unauthorized}{Server:
Microsoft-IIS/7.5}{WWW-Authenticate: NTLM SERVER_NTLM_DATA}{WWW-Authenticate:
Negotiate}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39
GMT}{Content-Length: 0}
Exception in thread "main" java.io.IOException: Server returned HTTP response
code: 401 for URL: https://exchange/ews/Services.wsdl
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1612)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1035)
Does this make sense to you?
It seems to me the "inNegotiate" handling needs a review as it does not work in
all cases.
I hope my informations are of any help to fix this issue.
Ciao,
Mario
