cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucas Madar <>
Subject Re: Disabling NTLM authentication
Date Wed, 16 Nov 2011 09:19:26 GMT
On Tue, Nov 15, 2011 at 11:59 PM, Sergey Beryozkin <>wrote:

> Hi
> On 15/11/11 23:09, Lucas Madar wrote:
>> I have an application that runs fine on a linux machine using CXF to
>> access
>> a service on a windows IIS server via REST. I am not in control of this
>> server or the way things are implemented on it. Parts of the service are
>> secured via windows authentication, and accessing them gives a 401
>> (forbidden) error. This is great and the intended behavior.
>> When i run the application on a Windows machine, the windows machine
>> attempts to negotiate NTLM for SSO. This is not desirable in this
>> situation. Is there any way to disable NTLM?
> As far as CXF is concerned, you can make it participate in the NTLM flow,
> Christian added this section:
> including-ssl-support.html#**ClientHTTPTransport%**
> 28includingSSLsupport%29-**NTLMAuthentication<>
> Christian, is that section assumes that a client is running on Windows ?
> It appears it may do on Linux too
> Cheers, Sergey

>From the link:

 On Java 6, NTLM authentication is built into the Java runtime and you
don't need to do anything special.

That's exactly what I *don't* want. I want to turn *OFF* NTLM
authentication. However, I've determined that this isn't easily doable, as
it's built deep into the belly of the version of
HttpUrlConnection. But I came up with an overly complex and technical
solution, in case anyone else is ever in my situation:

I found a way to do this that works in sun java 1.6.24+ by subclassing and making
isTrustedSite(URL) always return false. Then I used
NTLMAuthenticationCallback.setNTLMAuthenticationCallback() with an instance.

In sun java 1.6.23 and prior, NTLM SSO isn't automatic, so there's no
problem (and this class doesn't exist). In 1.7.x, it looks like the class
has been moved to

I had to write something that dynamically loads and then dynamically
subclasses that class (ugh) using cglib/asm (I'd be willing to provide
source if you e-mail me privately), as it needs to compile on any of these
platforms as well.

If anyone knows of a better way to do this, I'd love to know. It seems
strange to let outgoing connections from a servlet container on the windows
platform allow NTLM authentication against the user tomcat is running as.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message