Return-Path: Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org Received: (qmail 8531 invoked from network); 17 Apr 2003 21:17:40 -0000 Received: from mailstore.nshosts.com (216.58.174.135) by daedalus.apache.org with SMTP; 17 Apr 2003 21:17:40 -0000 Received: from intencha.com (unverified [150.101.184.197]) by mailstore.nshosts.com (Vircom SMTPRS 5.3.232) with ESMTP id for ; Thu, 17 Apr 2003 15:16:42 -0600 Date: Fri, 18 Apr 2003 07:18:20 +1000 Subject: Re: HTTPClient Ntlm Implementation Content-Type: text/plain; delsp=yes; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v552) From: Adrian Sutton To: "Commons HttpClient Project" Content-Transfer-Encoding: quoted-printable In-Reply-To: <7786E5C72B85D511BAA100065B1951B00242A855@ca.tco.net.br> Message-Id: <1D6125B0-711A-11D7-AC44-000393016056@intencha.com> X-Mailer: Apple Mail (2.552) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Andre, This is very strange and is not my experience with NTLM. I wonder if =20= one of the more recent changes reduced the number of retries for =20 authorization and thus prevents us from completing the authorization. =20= I'll take a look into it once I get through the Good Friday church =20 services this morning (Easters a busy time for an organist :) but in =20 the mean time getting a full wire trace and trace log (trace level is =20= more useful than debug level) would be quite useful. Thanks for the detailed description of the problem, NTLM is a very =20 difficult scheme to work with so getting as much detail as possible is =20= greatly appreciated. Regards, Adrian Sutton. On Friday, April 18, 2003, at 06:13 AM, Andr=E9 Augusto de Oliveira =20 Arag=E3o wrote: > Sorry... > > Just forget the last message. The correct sequence should be: > httpclient -> Server GET ... > > Server -> httpclient 401 Unauthorized > WWW-Authenticate: NTLM > > httpclient -> Server GET ... > Authorization: NTLM > TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S > > Server -> httpclient 401 Unauthorized > WWW-Authenticate: NTLM > TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA=3D=3D > > httpclient -> Server GET ... > Authorization: NTLM > = TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAA=20= > AAACi > = AAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQB=20= > UAFkA > rYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT > > Server -> httpclient 200 Ok > > But actually it is: > > httpclient -> Server GET ... > > Server -> httpclient 401 Unauthorized > WWW-Authenticate: NTLM > I know that the connection must be closed here, and =20 > httpclient > handles it nicely (Connection: close header). > > httpclient -> Server GET ... > Authorization: NTLM > TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S > > Server -> httpclient 401 Unauthorized > WWW-Authenticate: NTLM > TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA=3D=3D > > httpclient stops here, and returns 401. > > Andre > > -----Original Message----- > From: Andr=E9 Augusto de Oliveira Arag=E3o > Sent: quinta-feira, 17 de abril de 2003 16:50 > To: 'Commons HttpClient Project' > Subject: RE: HTTPClient Ntlm Implementation > > > Debugging further, I discovered that httpclient always send =20 > authorization: > NTLM . When it get the 401 reply, it sends the = =20 > NTLM > , but does not process the =20 > server > reply WWW-Authenticate: NTLM <...>. In this point, it should reply = with > WWW-Authenticate: NTLM , and after the =20= > second > server reply, it should reply with Authorization: NTLM type-3-message>. The message types are described in the following =20 > document: > http://www.innovation.ch/java/ntlm.html. What am I missing? > > Regards, > > Andre > > -----Original Message----- > From: Andr=E9 Augusto de Oliveira Arag=E3o > Sent: quinta-feira, 17 de abril de 2003 16:06 > To: 'commons-httpclient-dev@jakarta.apache.org' > Subject: HTTPClient Ntlm Implementation > > > HI! > > I am still having a bad time trying to make ntlm authentication work. =20= > It > always returns 401. I tried it against a IIS server and against a = jboss > server using a filter I developed a long time ago. This filter =20 > simulates the > ntlm authentication. I know that ntlm is done on connection =20 > establishment, > but if the server uses keep-alive (http 1.1), the filter works. =20 > Debugging > the filter, I find out that http-client uses only two steps to do ntlm > authentication. Is it correct? > > Thanks in advance, > > Andre > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > commons-httpclient-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: > commons-httpclient-dev-help@jakarta.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: =20 > commons-httpclient-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: =20 > commons-httpclient-dev-help@jakarta.apache.org >