cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pink, Simon (AGCS)" <simon.p...@allianz.com>
Subject RE: Using CXF with NTLM authentication as well as SSL/HTTPS
Date Thu, 03 Dec 2009 11:16:03 GMT
I agree it does seem pointless, unfortunately my infrastructure demands that I do just this,
that is, NTLM over HTTPS.

I _might_ be able to get away with just using NTLM over HTTP so long as it does over the wire
encryption. I'm not an NTLM expert; can someone confirm if JCIFS/NTLM does encrypt ALL messages?

Windows NTLM does 'just work', but it runs using the underlying users credentials, and it
doesn't run on Linux - so it counts itself out as an option unfortunately.

-----Original Message-----
Subject: Re: Using CXF with NTLM authentication as well as SSL/HTTPS


You would probably need to log a bug with jcifs. 

That said, I expect they are going to say something along the lines of NTLM 
with SSL/HTTPS is completely redundant and not worth supporting.   With 
SSL/HTTPS, the channel is already encrypted.   Thus, the extra protection 
offered by NTLM is not needed.    The NTLM stuff also extracts a performance 
hit due to the handshaking required.

Thus, I would suggest ntlm (or digest) auth for http and just use basic auth 
for https.

The only other alternative that I'm aware of is the NTLM stuff built into the 
JDK on Windows.   That PROBABLY "just works" (built into the jdk's 
HttpURLConnection object), but that's obviously windows only.

Dan


On Tue December 1 2009 11:07:09 am Pink, Simon (AGCS) wrote:
> I cannot seem to get jcifs NTLM working with SSL/HTTPS. I get the following
>  exception:
>  java.lang.NoSuchMethodException<http://java.sun.com/javase/6/docs/api/java
> /lang/NoSuchMethodException.html>:
>  jcifs.http.NtlmHttpURLConnection.getSSLSocketFactory()
> 
> In a nutshell, CXF is trying to decorate the
>  javax.net.ssl.HttpsURLConnection.getSSLSocketFactory method - but NTLM has
>  replaced the https connection with its own handler: NtlmHttpURLConnection.
>  The CXF handler doesn't support SSL. Is it actually possible to use both
>  SSL and NTLM using CXF (or any other JAX-WS implementation)?
> 
> I'm banging my head against a wall at the moment! Any help would be greatly
>  appreciated.
> 
> Code:
> I am using the NTLM
>  Authentication<http://cwiki.apache.org/CXF20DOC/client-http-transport-incl
> uding-ssl-support.html> example almost verbatim, and then used a conduit to
>  allow HTTPS:
> 
>     //Set the jcifs properties
>     jcifs.Config.setProperty("jcifs.smb.client.domain", "my.domain.com");
>     jcifs.Config.setProperty("jcifs.netbios.wins", "my.wins.server.com");
>     jcifs.Config.setProperty("jcifs.smb.client.soTimeout", "300000"); //5
>  minutes jcifs.Config.setProperty("jcifs.netbios.cachePolicy", "1200");
>  //20 minutes //    jcifs.Config.setProperty("jcifs.smb.client.username",
>  "myNTLogin"); //    jcifs.Config.setProperty("jcifs.smb.client.password",
>  "secret");
> 
>     //Register the jcifs URL handler to enable NTLM
>     jcifs.Config.registerSmbURLHandler();
> 
>     ClientProxyFactoryBean factory = new ClientProxyFactoryBean(new
>  JaxWsClientFactoryBean());
> 
>     factory.setServiceClass( ListsSoap.class );
>     factory.setAddress( "https://my.service.endpoint.url" );
>     ListsSoap client = (ListsSoap) factory.create();
>     Client proxy = ClientProxy.getClient( client );
> 
>     HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
>     httpClientPolicy.setConnectionTimeout(36000);
>     httpClientPolicy.setAllowChunking(false);
> 
>     HTTPConduit conduit = (HTTPConduit) proxy.getConduit();
>     conduit.setClient(httpClientPolicy);
>     TLSClientParameters tcp = new TLSClientParameters();
>     tcp.setTrustManagers( new TrustManager[]{ new
>  TrustAllX509TrustManager() } ); conduit.setTlsClientParameters( tcp );
> 
>     GetListCollectionResult col  = client.getListCollection();
>     System.out.println(col);
> 

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Mime
View raw message