axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muller Pierre <pierre.mul...@gfi.fr>
Subject Re: AW: NTLM authentication failed (password with non-latin characters)
Date Wed, 29 Jun 2011 12:17:39 GMT
Thanks Martin.
Actually I had a look at the HTTPClient trace : there was this warning "Credential charset
not configured, using HTTP element charset".
Thus I tried your conf directive and other directives too :
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CHAR_SET_ENCODING, new String("utf-16"));
stub._getServiceClient().getOptions().setProperty("CHARACTER_SET_ENCODING", new String("utf-16"));
DefaultHttpParams.getDefaultParams().setParameter("http.protocol.credential-charset", new
String("utf-16"));

Only the last one makes the warning disappear, which is good.
But I tried several charsets (utf-16,utf-8,iso-8859-1,cp1252), with and without U+00E9 ("myPasswordWithLetter_é"
or "myPasswordWithLetter_\u00e9") : no success, I always get the same 401.1 error !!



Cordialement,
Pierre Muller

Le 28/06/2011 17:15, Martin Gainty a écrit :
options.setProperty("CHARACTER_SET_ENCODING",new String("UTF-16");
when configuring the text part instead of typing displayable ASCII character é try
U+00E9

http://en.wikipedia.org/wiki/ASCII#Unicode
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni
et de confidentialité

Ez az üzenet bizalmas.  Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse
azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett.
 Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs.
 Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség
nem terhelhet ezen üzenet tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.



________________________________
From: pierre.muller@gfi.fr<mailto:pierre.muller@gfi.fr>
To: java-user@axis.apache.org<mailto:java-user@axis.apache.org>
Date: Tue, 28 Jun 2011 06:21:40 -0700
Subject: Re: AW: NTLM authentication failed (password with non-latin characters)

Thanks for the answer.
Actually I don't know how axis2 manages its stored-hashed. I can't say what happens to the
"é" because I pass the password to HttpTransportProperties.Authenticator and I see it again
in TCPMonitor as a NTLM hashed string, in which I can't say how "é" has been used.


What is the tool used to generate and store the passwords?

What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings
or 3. A double-byte-encoded -Unicode-string?
I pass the password-string to HttpTransportProperties.Authenticator , I don't use any other
tool. The password-string is a standard Java String object, which means (in my understanding
of the javadoc<http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html>
) represented in UTF-16 and which libraries like axis2 should probably handle to take care
of encoding issues.

Authenticating in a browser with the "é" works correctly (while accessing the WSDL). Authenticating
in Outlook also works correctly with this password. The 401 error only occurs with the axis2
client application...


Any idea ?



Cordialement,
Pierre Muller

Le 27/06/2011 17:36, Stadelmann Josef a écrit :

Somewhere there is a password data base which has stored password-hashes or the like.



Lets refer to it as stored-hashes.



If the way hashes are generated from passwords, then transferred, then stored  by some tool
differs from the way hashes are generated, transferred and used toward the hasher  by axis2
e all,

in example by passing in one or the other direction a Iso-Latin-to-UTF-8 converter in the
later case,

then the chance is real great that we will never reach a match on the hashes.



So what happens to the "é" in sequence? How is it sent from client to server, as UTF-8 or
as ISO-LATIN-1? TCP Monitor on a non-hashed transfer can tell you that.



What is the tool used to generate and store the passwords?

What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings
or 3. A double-byte-encoded -Unicode-string?



As the password generator is potentially a Microsoft one, I would suggest the "hasher" receives
a double-byte-encoded-UNICODE-strings  for an "é"



BUT



The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string" for a single
"é" and without converting this 2 bytes to UNICODE prior to passing it to the hasher the
hasher will generate something different then what is stored in the password-database and
the match fails and results in UNAUTHENTICATED.



Josef





Von: Muller Pierre [mailto:pierre.muller@gfi.fr]
Gesendet: Montag, 27. Juni 2011 15:03
An: java-user@axis.apache.org<mailto:java-user@axis.apache.org>
Betreff: NTLM authentication failed (password with non-latin characters)



Hello,

I'm working on a web application consuming web services with Axis2. Client classes are generated
from a WSDL file with the XMLBeans method.
The web services require NTLM authentication, which I set up in my application.

Everything's fine, the application works as expected (able to authenticate, able to use services).
Except in one case : when the NTLM password contains accents, e.g. "myPasswordWithLetter_é".
Does someone know about this, is this a filed bug for Axis2 (I couldn't find anythind on it
so far) ? Are there any solutions to bypass it ?

Thanks
Pierre



More detailed information :
1. The services requested are Exchange Web Service ones. Again, it's working fine for passwords
without accents.

2. My authentication code is :
URL endpoint = new URL(...);
HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();
authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM));
authenticator.setUsername("user");
authenticator.setPassword("myPasswordWithLetter_é");
authenticator.setHost(endpoint.getHost());
authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort()
                    : endpoint.getProtocol().equalsIgnoreCase("https")? 443 : 80);
authenticator.setDomain(conf.getAgendaHttpAuthDomain());
stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, authenticator);

3. The password is showing healthy in Java, no encoding problem.

4. TCPMonitor shows similar behaviours with or without accents in the password : 3 POST requests,
only the last differing between the expected SOAP response  or the  "HTTP 401.1 Unauthorized"
seen below :

Application request


Server response


POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Host: vm-iodasxch:8989
Transfer-Encoding: chunked

322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .


HTTP/1.1 401 Unauthorized
Content-Length: 1897
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT


POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE hPU1RJT0RBU1hDSA==
Host: localhost:8989

322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope  ..


HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY
ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB
jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg BpAC4AcAByAGkAdgBhAHQAZQAAAAAA
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT


POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU
1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I=
Host: localhost:8989

322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .


HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT




--

Cordialement,

Pierre Muller

Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et
établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non
conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est
interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur,
merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique
décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé
ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence
de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures
permettant d'assurer la non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and intended only for
the recipient(s) indicated. If you are not an intended recipient, please be advised that any
use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior
written consent. If you have received this email in error, please delete it without saving
a copy and notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have been made to
this email after it was sent. While we take all reasonable precautions to ensure that viruses
are not transmitted via emails, we recommend that you take your own measures to prevent viruses
from entering your computer system.

Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et
établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non
conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est
interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur,
merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique
décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé
ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence
de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures
permettant d'assurer la non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and intended only for
the recipient(s) indicated. If you are not an intended recipient, please be advised that any
use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior
written consent. If you have received this email in error, please delete it without saving
a copy and notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have been made to
this email after it was sent. While we take all reasonable precautions to ensure that viruses
are not transmitted via emails, we recommend that you take your own measures to prevent viruses
from entering your computer system.

Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et
établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non
conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est
interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur,
merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur.
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique
décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé
ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence
de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures
permettant d'assurer la non-introduction de virus dans votre système informatique.
This email message and any attachments ("the email") are confidential and intended only for
the recipient(s) indicated. If you are not an intended recipient, please be advised that any
use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior
written consent. If you have received this email in error, please delete it without saving
a copy and notify the sender immediately. Internet emails are not necessarily secured, and
GFI Informatique Group declines responsibility for any changes that may have been made to
this email after it was sent. While we take all reasonable precautions to ensure that viruses
are not transmitted via emails, we recommend that you take your own measures to prevent viruses
from entering your computer system.

Mime
View raw message