Dear HtpClient Users Group,
Is it possible to make NTLM Authentication using only HttpClient library (without htppclient-win library) which will be working independently on whether it is running on Windows or Linux? Best regards, Kirill *Von:* Oleg Kalnichevski <ol...@apache.org> *Gesendet:* Mittwoch, 10. Juli 2019 15:49 *An:* HttpClient User Discussion *Betreff:* Re: NTLM Authentication fails On Mon, 2019-07-08 at 09:27 +0000, Kirill Rajbhandary wrote: > Dear HttpClient Support List, > > I found out that when trying to make NTLM Authentication using > httpclient-win-4.5.6.jar library it relies on > CurrentWindowsCredentials instead of using credentials provided in > WindowsCredentialsProvider which it seems to be incorrect for the > case when web-container (Tomcat in my case) is running as a service > under another "Local System" user on Windows machine. It retrieves > incorrect username which is not authorized to pass NTLM > authentication and gets 401 Unauthorized Error. Besides, if web > container (Tomcat in my case) is running inside Docker Linux > Container it does not work at all because the user specified inside > Docker Container is completely different from the Windows one. I > suppose that in WindowsNegotiateScheme.authenticate() method the > below implementation should not rely on CurrentWindowsCredentials and > throw Exception but have to use the Credentials specified in > WindowsCredentialsProvider. > > if (clientCred == null) { > // ?? We don't use the credentials, should we allow anything? > if (!(credentials instanceof CurrentWindowsCredentials)) { > throw new InvalidCredentialsException( > "Credentials cannot be used for " + getSchemeName() + " > authentication: " > + credentials.getClass().getName()); > } > > > Also WindowsCredentialsProvider should not use instance of > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use > provider.getCredentials(authscope) one: > > public Credentials getCredentials(final AuthScope authscope) { > final String scheme = authscope.getScheme(); > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) || > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) { > return CurrentWindowsCredentials.INSTANCE; > } else { > return provider.getCredentials(authscope); > } > } > > Besides, if user provides the credentials of another user which is > different from the user logged in to Windows system, httpclient-win > API should not try to get information about currently logged user via > CurrentWindowsCredentials class but has to use those credentials > provided in WindowsCredentialsProvider if there are provided. If the > credentials are not provided, then probably makes sense to get user > using CurrentWindowsCredentials. > > Here is the code snippet how NTLM authentication was used in my case > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries: > > HttpClientBuilder clientbuilder = HttpClients.custom(); > Registry<AuthSchemeProvider> authSchemeRegistry = > RegistryBuilder.<AuthSchemeProvider>create() > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null)) > .build(); > CredentialsProvider windowsCredentialsProvider = new > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider()); > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new > NTCredentials("username, "password", "workstation", "domain")); > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvide > r); > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry); > > RequestConfig.Builder requestBuilder = RequestConfig.custom(); > requestBuilder = requestBuilder.setConnectTimeout(connectionTimeout); > requestBuilder = > requestBuilder.setConnectionRequestTimeout(connectionTimeout); > clientbuilder.setDefaultRequestConfig(requestBuilder.build()); > client = clientbuilder.build(); > > HttpGet get = new HttpGet("http://test.url/ntlm"); > CloseableHttpResponse response = client.execute(get); > > Could you please advise a workaround for the issue and make the > corresponding fix if you consider my description as an issue? > Hi Kirill I am not sure I fully understand your logic here but also admittedly I have little idea how things work in Windows these days. The HttpClient for Windows is an experimental module and is NOT recommended for production use. On a number of occasions we have considered dropping Windows specific code altogether. However if you contribute a PR with your proposed improvements I will happily review them. Cheers Oleg