hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ossf...@dubioso.net>
Subject plugin point for NTLM integrated Windows authentication
Date Sat, 08 Mar 2008 09:14:24 GMT
Hi Cathy,

maybe you can put the plugin point for integrated Windows
authentication into the equivalent of the NTCredentials [1].
For the sake of discussion, I will assume that the critical
hash computation requires two kinds of input:

a) some sort of challenge, seed, or init vector which is
    computed from the received authentication challenge
b) user credentials, either in the form of domain/name/pwd
    or from a native call

So my suggestion is...

/** Compute NT hash in pure Java. */
public class NTHasher {
   public static int computeNTHash(challenge,domain,name,pwd) {

/** Obtain a hash for a challenge, generic. */
public interface NTHashProvider {
    int computeNTHash(challenge);

/** Pure Java credentials. */
public class NTCredentials implements NTHashProvider {
   attributes: domain,name,pwd
   int computeNTHash(challenge) {
     return NTHasher.computeNTHash(challenge,domain,name,pwd);

/** Windows system credentials. */
public class WinSystemCredentials implements NTHashProvider {
   int computeNTHash(challenge) {
     ...do something native or platform specific...

With this approach, the system credentials are treated in the
same way as other credentials. There is no "backchannel" where
the authentication framework has to check for a platform specific
mechanism to invoke. If an application wants to use integrated
Windows authentication, it provides the WinSystemCredentials.
An application that doesn't will behave on Windows exactly as
it behaves on other platforms. We also wouldn't need an extra
mechanism to handle authentication failures. If the system
credentials are not what the server or proxy wants, that is just
the same as providing a wrong password in the pure Java credentials.

With only one or two interfaces and maybe a base class that ties
the WinSystemCredentials into HttpAuth, it should also be easy
to reuse the platform specific code in projects that do not rely
on HttpClient for HTTP and NTLM.



To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message