hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alfonso <spam_barbol...@jazzfree.com>
Subject NTLM authentication
Date Wed, 29 Oct 2003 22:25:23 GMT

Hi to all

Excuse me as I am relatively new to low-level network plumbing so this 
may sound amateur to you.

I was having problems trying to make HttpClient 2rc2 to authenticate to 
my Microsoft proxy server.
Despite trying all combinatios of user/domain/host in the credentials I 
always got the same result, reply code 407.

Tracing through the sequence of actions and activating the debugger and 
examining the publicly available documentation about NTLM 
challenge/response I came to the conclusion that the problem was that 
HttpMethodDirector was wrongly closing the connection after the second 
stage of authentication. Thus, in the third stage the client sent what 
apparently a correct authentication header but was beign rejected by the 
proxy as it not belong to the session that was just establishing the 

The cause of the problem is that HttpMethodDirector expects not to see a 
response body until the authentication process is finished, that is, it 
understands that things should be ok the moment a response body is 
present. As I've found out by activating the debug log, the Microsoft 
proxy answers to the second stage of the authentication process with the 
response body that corresponds to the HTML page shown to the user when 
the authentication is not correct.

The solution that I've tried that has passed a basic test (that is, it 
retrieves correctly the pages) is to modify the method in 
HttpMethodBase#canHaveResponseBody. As I understand that method is 
provided to ignore response bodies for certain return codes. That is, 
around line 2126 it says

if ((status >= 100 && status <= 199) || (status == 204)
|| (status == 304) ) { // NOT MODIFIED
result = false;

If you instead say

if ((status >= 100 && status <= 199) || (status == 204)
|| (status == 304) || (status == 407)) { // NOT MODIFIED
result = false;

Things work, at least for me. I don't know how nor have the tools to 
generate a patch, and if I could I did not know where to send it. So if 
somebody out there is kind enough to test if this fixes things for every 
other case of proxy/authentication, it would be wise to incorporate the 
change into the final release. This Microsoft proxy feature has been 
something that I have wished to have for a very long time and not yet 
found in any other library.

Keep up the good work.


To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

View raw message