hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alfonso <spam_barbol...@jazzfree.com>
Subject Re: NTLM authentication
Date Thu, 30 Oct 2003 21:52:35 GMT
Michael

You are right, I was not using the rc2 source but the 
commons-httpclient-20031022.zip source. However in both cases the wire 
log is identical (except of course for the timestamps). Here it is

[DEBUG] wire - ->> "GET http://www.apache.org/ HTTP/1.1[\r][\n]"
[DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.1m1[\r][\n]"
[DEBUG] wire - ->> "Host: www.apache.org[\r][\n]"
[DEBUG] wire - ->> "Proxy-Connection: Keep-Alive[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 407 Proxy Access Denied[\r][\n]"
[DEBUG] wire - -<< "Server: Microsoft-IIS/4.0[\r][\n]"
[DEBUG] wire - -<< "Date: Thu, 30 Oct 2003 11:44:35 GMT[\r][\n]"
[DEBUG] wire - -<< "Connection: close[\r][\n]"
[DEBUG] wire - -<< "Proxy-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - ->> "GET http://www.apache.org/ HTTP/1.1[\r][\n]"
[DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.1m1[\r][\n]"
[DEBUG] wire - ->> "Proxy-Authorization: NTLM
[DEBUG] wire - ->> "Host: www.apache.org[\r][\n]"
[DEBUG] wire - ->> "Proxy-Connection: Keep-Alive[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 407 Proxy authentication required[\r][\n]"
[DEBUG] wire - -<< "Proxy-Authenticate: NTLM
[DEBUG] wire - -<< "Content-Length: 503[\r][\n]"
[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
[DEBUG] wire - -<< "<html><head><title>Error 407</title>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<meta name="robots" content="noindex">[\r][\n]"
[DEBUG] wire - -<< "<META HTTP-EQUIV="Content-Type" CONTENT="text/html;
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<body>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<h2>HTTP Error 407</h2>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p><strong>407 Proxy Authentication
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p>You must authenticate with a proxy server before
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p>Please contact the Web server's administrator if
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "</body></html>"
[DEBUG] wire - ->> "GET http://www.apache.org/ HTTP/1.1[\r][\n]"
[DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.1m1[\r][\n]"
[DEBUG] wire - ->> "Proxy-Authorization: NTLM
[DEBUG] wire - ->> "Host: www.apache.org[\r][\n]"
[DEBUG] wire - ->> "Proxy-Connection: Keep-Alive[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 407 Proxy authentication required[\r][\n]"
[DEBUG] wire - -<< "Proxy-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - -<< "Proxy-Connection: close[\r][\n]"
[DEBUG] wire - -<< "Content-Length: 503[\r][\n]"
[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
[DEBUG] wire - -<< "<html><head><title>Error 407</title>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<meta name="robots" content="noindex">[\r][\n]"
[DEBUG] wire - -<< "<META HTTP-EQUIV="Content-Type" CONTENT="text/html;
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<body>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<h2>HTTP Error 407</h2>[\r][\n]"
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p><strong>407 Proxy Authentication
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p>You must authenticate with a proxy server before
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "<p>Please contact the Web server's administrator if
[DEBUG] wire - -<< "[\r][\n]"
[DEBUG] wire - -<< "</body></html>"

Anyway I'm on the second stage of my problem, which is validating using 
basic authentication against a web server. Now I face another problem: 
when the host beign contacted responds with a WWW-Authenticate, the 
MethodDirector tries to reply with the username/password. However, it 
refuses to use the authentication realm it has just used to pass throuhg 
the proxy again. Can you think of a fix for this ?. Clearly it should 
"forget" what realms had been used to authenticate with the proxy when 
trying to authenticate against the target host. It seems to me that the 
states of authentication (host and proxy) are mixed somehow.

Michael Becke wrote:

> Hello Alfonso,
>
> Have you been working with 2.0 RC2 or with the latest code from HEAD?  
> The HttpMethodDirector class was recently added to HEAD but does not 
> exist in RC2.  If you're using HEAD please give it a shot with RC2 and 
> see how things work.  Either way please post a wire log 
> <http://jakarta.apache.org/commons/httpclient/logging.html> of the 
> problem so we can better idea of what's happening.
>
> Thanks,
>
> Mike
>
> On Oct 29, 2003, at 5:25 PM, Alfonso wrote:
>
>>
>> Hi to all
>>
>> Excuse me as I am relatively new to low-level network plumbing so 
>> this may sound amateur to you.
>>
>> I was having problems trying to make HttpClient 2rc2 to authenticate 
>> to my Microsoft proxy server.
>> Despite trying all combinatios of user/domain/host in the credentials 
>> I always got the same result, reply code 407.
>>
>> Tracing through the sequence of actions and activating the debugger 
>> and examining the publicly available documentation about NTLM 
>> challenge/response I came to the conclusion that the problem was that 
>> HttpMethodDirector was wrongly closing the connection after the 
>> second stage of authentication. Thus, in the third stage the client 
>> sent what apparently a correct authentication header but was beign 
>> rejected by the proxy as it not belong to the session that was just 
>> establishing the connection.
>>
>> The cause of the problem is that HttpMethodDirector expects not to 
>> see a response body until the authentication process is finished, 
>> that is, it understands that things should be ok the moment a 
>> response body is present. As I've found out by activating the debug 
>> log, the Microsoft proxy answers to the second stage of the 
>> authentication process with the response body that corresponds to the 
>> HTML page shown to the user when the authentication is not correct.
>>
>> The solution that I've tried that has passed a basic test (that is, 
>> it retrieves correctly the pages) is to modify the method in 
>> HttpMethodBase#canHaveResponseBody. As I understand that method is 
>> provided to ignore response bodies for certain return codes. That is, 
>> around line 2126 it says
>>
>> if ((status >= 100 && status <= 199) || (status == 204)
>> || (status == 304) ) { // NOT MODIFIED
>> result = false;
>> }
>>
>> If you instead say
>>
>>
>> if ((status >= 100 && status <= 199) || (status == 204)
>> || (status == 304) || (status == 407)) { // NOT MODIFIED
>> result = false;
>> }
>>
>> Things work, at least for me. I don't know how nor have the tools to 
>> generate a patch, and if I could I did not know where to send it. So 
>> if somebody out there is kind enough to test if this fixes things for 
>> every other case of proxy/authentication, it would be wise to 
>> incorporate the change into the final release. This Microsoft proxy 
>> feature has been something that I have wished to have for a very long 
>> time and not yet found in any other library.
>>
>> Keep up the good work.
>>
>> Alfonso
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: 
>> commons-httpclient-dev-help@jakarta.apache.org
>>
>
>
>




---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message