Dear HttpClient Users Group,
Finally I managed to make NTLM Authentication to work correctly using only
HttpClient API. The root cause why it did not work was in
method NTLMScheme.authenticate() hiding the real problem
with ClassCastException.
try {
ntcredentials = (NTCredentials) credentials;
} catch (final ClassCastException e) {
throw new InvalidCredentialsException(
"Credentials cannot be used for NTLM authentication: "
+ credentials.getClass().getName());
}
Since I used Wrapper for the NTCredentials, my WrapperCredentials was not
instance of NTCredentials.
Therefore, the issue has been resolved, but I would recommend not to hide
the real problem or to make the message more precise or to change API
accepting only NTCredentials in case of NTLM authentication.
Best regards,
Kirill
On Wed, Jul 17, 2019 at 1:31 PM Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2019-07-16 at 16:21 +0200, Kirill wrote:
> > Dear HtpClient Users Group,
> >
> >
> > Is it possible to make NTLM Authentication using only HttpClient
> > library
> > (without htppclient-win library) which will be working independently
> > on
> > whether it is running on Windows or Linux?
> >
>
> Of course, it is. It is the default mode of operation supported by
> HttpClient and recommended by the project.
>
> Cheers
>
> Oleg
>
> > Best regards,
> > Kirill
> >
> >
> >
> > *Von:* Oleg Kalnichevski <ol...@apache.org>
> >
> > *Gesendet:* Mittwoch, 10. Juli 2019 15:49
> > *An:* HttpClient User Discussion
> > *Betreff:* Re: NTLM Authentication fails
> >
> >
> >
> > On Mon, 2019-07-08 at 09:27 +0000, Kirill wrote:
> > > Dear HttpClient Support List,
> > >
> > > I found out that when trying to make NTLM Authentication using
> > > httpclient-win-4.5.6.jar library it relies on
> > > CurrentWindowsCredentials instead of using credentials provided in
> > > WindowsCredentialsProvider which it seems to be incorrect for the
> > > case when web-container (Tomcat in my case) is running as a service
> > > under another "Local System" user on Windows machine. It retrieves
> > > incorrect username which is not authorized to pass NTLM
> > > authentication and gets 401 Unauthorized Error. Besides, if web
> > > container (Tomcat in my case) is running inside Docker Linux
> > > Container it does not work at all because the user specified inside
> > > Docker Container is completely different from the Windows one. I
> > > suppose that in WindowsNegotiateScheme.authenticate() method the
> > > below implementation should not rely on CurrentWindowsCredentials
> > > and
> > > throw Exception but have to use the Credentials specified in
> > > WindowsCredentialsProvider.
> > >
> > > if (clientCred == null) {
> > > // ?? We don't use the credentials, should we allow anything?
> > > if (!(credentials instanceof CurrentWindowsCredentials)) {
> > > throw new InvalidCredentialsException(
> > > "Credentials cannot be used for " + getSchemeName() + "
> > > authentication: "
> > > + credentials.getClass().getName());
> > > }
> > >
> > >
> > > Also WindowsCredentialsProvider should not use instance of
> > > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use
> > > provider.getCredentials(authscope) one:
> > >
> > > public Credentials getCredentials(final AuthScope authscope) {
> > > final String scheme = authscope.getScheme();
> > > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) ||
> > > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) {
> > > return CurrentWindowsCredentials.INSTANCE;
> > > } else {
> > > return provider.getCredentials(authscope);
> > > }
> > > }
> > >
> > > Besides, if user provides the credentials of another user which is
> > > different from the user logged in to Windows system, httpclient-win
> > > API should not try to get information about currently logged user
> > > via
> > > CurrentWindowsCredentials class but has to use those credentials
> > > provided in WindowsCredentialsProvider if there are provided. If
> > > the
> > > credentials are not provided, then probably makes sense to get user
> > > using CurrentWindowsCredentials.
> > >
> > > Here is the code snippet how NTLM authentication was used in my
> > > case
> > > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries:
> > >
> > > HttpClientBuilder clientbuilder = HttpClients.custom();
> > > Registry<AuthSchemeProvider> authSchemeRegistry =
> > > RegistryBuilder.<AuthSchemeProvider>create()
> > > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null))
> > > .build();
> > > CredentialsProvider windowsCredentialsProvider = new
> > > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider());
> > > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new
> > > NTCredentials("username, "password", "workstation", "domain"));
> > > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvi
> > > de
> > > r);
> > > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
> > >
> > > RequestConfig.Builder requestBuilder = RequestConfig.custom();
> > > requestBuilder =
> > > requestBuilder.setConnectTimeout(connectionTimeout);
> > > requestBuilder =
> > > requestBuilder.setConnectionRequestTimeout(connectionTimeout);
> > > clientbuilder.setDefaultRequestConfig(requestBuilder.build());
> > > client = clientbuilder.build();
> > >
> > > HttpGet get = new HttpGet("http://test.url/ntlm";);
> > > CloseableHttpResponse response = client.execute(get);
> > >
> > > Could you please advise a workaround for the issue and make the
> > > corresponding fix if you consider my description as an issue?
> > >
> >
> > Hi Kirill
> >
> > I am not sure I fully understand your logic here but also admittedly
> > I
> > have little idea how things work in Windows these days.
> >
> > The HttpClient for Windows is an experimental module and is NOT
> > recommended for production use. On a number of occasions we have
> > considered dropping Windows specific code altogether.
> >
> > However if you contribute a PR with your proposed improvements I will
> > happily review them.
> >
> > Cheers
> >
> > Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org
>
>
