hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1881) NTLM authentication against ntlm.herokuapp.com
Date Sat, 18 Nov 2017 10:34:00 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16258017#comment-16258017
] 

Oleg Kalnichevski commented on HTTPCLIENT-1881:
-----------------------------------------------

All HttpComponents active projects got migrated to Git some while ago. 

https://git-wip-us.apache.org/repos/asf/httpcomponents-client.git

Please let me know if you want me to commit the patch on your behalf.

Cheers

Oleg 

> NTLM authentication against ntlm.herokuapp.com
> ----------------------------------------------
>
>                 Key: HTTPCLIENT-1881
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1881
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.3
>            Reporter: Marcel Stör
>            Assignee: Karl Wright
>              Labels: authentication, ntlm
>         Attachments: HTTPCLIENT-1881.patch, msr-ntlm-prototype.zip
>
>
> I'm prototyping NTLM authentication with your 4.5 HTTP client and Spring RestTemplate.
This currently fails with a {{org.apache.http.impl.auth.NTLMEngineException}} "NTLM authentication
error: NTLM authentication - buffer too small for data item". 
> The code, wire log (below) and a simple standalone test application (attached) are included.
> h2. Code
> {code:java}
> RestTemplate restTemplate = new RestTemplate();
> restTemplate.setRequestFactory(buildHttpComponentsClientHttpRequestFactory(args));
> private static HttpComponentsClientHttpRequestFactory
> buildHttpComponentsClientHttpRequestFactory(String[] args) {
>   PoolingHttpClientConnectionManager cm = new
> PoolingHttpClientConnectionManager();
>   cm.setMaxTotal(128);
>   cm.setDefaultMaxPerRoute(24);
>   RequestConfig.Builder requestBuilder =
> RequestConfig.custom().setConnectTimeout(5000).setSocketTimeout(10000);
>   Registry<AuthSchemeProvider> authSchemeRegistry =
> RegistryBuilder.<AuthSchemeProvider>create()
>     .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
>     .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
>   CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
>   credentialsProvider.setCredentials(AuthScope.ANY, new
> NTCredentials(args[1], args[2], null, args[3]));
>   HttpClientBuilder builder = HttpClientBuilder.create()
>     .setConnectionManager(cm)
>     .setDefaultRequestConfig(requestBuilder.build())
>     .setDefaultAuthSchemeRegistry(authSchemeRegistry)
>     .setDefaultCredentialsProvider(credentialsProvider);
>   return new HttpComponentsClientHttpRequestFactory(builder.build());
> }
> {code}
> h2. Wire log
> {noformat}
> 23:21:22,983 | RestTemplate                        | Created GET request for "https://ntlm.herokuapp.com"
> 23:21:22,987 | RestTemplate                        | Setting request Accept header to
[text/plain, */*]
> 23:21:22,997 | RequestAddCookies                   | CookieSpec selected: default
> 23:21:23,006 | RequestAuthCache                    | Auth cache not set in the context
> 23:21:23,007 | PoolingHttpClientConnectionManager  | Connection request: [route: {s}->https://ntlm.herokuapp.com:443][total
kept alive: 0; route allocated: 0 of 24; total allocated: 0 of 128]
> 23:21:23,029 | PoolingHttpClientConnectionManager  | Connection leased: [id: 0][route:
{s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route allocated: 1 of 24; total
allocated: 1 of 128]
> 23:21:23,031 | MainClientExec                      | Opening connection {s}->https://ntlm.herokuapp.com:443
> 23:21:23,299 | DefaultHttpClientConnectionOperator | Connecting to ntlm.herokuapp.com/54.235.146.123:443
> 23:21:23,299 | SSLConnectionSocketFactory          | Connecting socket to ntlm.herokuapp.com/54.235.146.123:443
with timeout 5000
> 23:21:23,581 | SSLConnectionSocketFactory          | Enabled protocols: [TLSv1, TLSv1.1,
TLSv1.2]
> 23:21:23,582 | SSLConnectionSocketFactory          | Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> 23:21:23,582 | SSLConnectionSocketFactory          | Starting handshake
> 23:21:23,989 | SSLConnectionSocketFactory          | Secure session established
> 23:21:23,989 | SSLConnectionSocketFactory          |  negotiated protocol: TLSv1.2
> 23:21:23,989 | SSLConnectionSocketFactory          |  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 23:21:23,990 | SSLConnectionSocketFactory          |  peer principal: CN=*.herokuapp.com,
O="Heroku, Inc.", L=San Francisco, ST=California, C=US
> 23:21:23,990 | SSLConnectionSocketFactory          |  peer alternative names: [*.herokuapp.com,
herokuapp.com]
> 23:21:23,990 | SSLConnectionSocketFactory          |  issuer principal: CN=DigiCert SHA2
High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
> 23:21:23,994 | DefaultHttpClientConnectionOperator | Connection established 172.19.1.229:63526<->54.235.146.123:443
> 23:21:23,994 | DefaultManagedHttpClientConnection  | http-outgoing-0: set socket timeout
to 10000
> 23:21:23,994 | MainClientExec                      | Executing request GET / HTTP/1.1
> 23:21:23,995 | MainClientExec                      | Target auth state: UNCHALLENGED
> 23:21:23,995 | MainClientExec                      | Proxy auth state: UNCHALLENGED
> 23:21:23,996 | headers                             | http-outgoing-0 >> GET / HTTP/1.1
> 23:21:23,996 | headers                             | http-outgoing-0 >> Accept:
text/plain, */*
> 23:21:23,996 | headers                             | http-outgoing-0 >> Host: ntlm.herokuapp.com
> 23:21:23,996 | headers                             | http-outgoing-0 >> Connection:
Keep-Alive
> 23:21:23,996 | headers                             | http-outgoing-0 >> User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:23,996 | headers                             | http-outgoing-0 >> Accept-Encoding:
gzip,deflate
> 23:21:23,996 | wire                                | http-outgoing-0 >> "GET /
HTTP/1.1[\r][\n]"
> 23:21:23,996 | wire                                | http-outgoing-0 >> "Accept:
text/plain, */*[\r][\n]"
> 23:21:23,997 | wire                                | http-outgoing-0 >> "Host:
ntlm.herokuapp.com[\r][\n]"
> 23:21:23,997 | wire                                | http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
> 23:21:23,997 | wire                                | http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:23,997 | wire                                | http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
> 23:21:23,997 | wire                                | http-outgoing-0 >> "[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "HTTP/1.1
401 Unauthorized [\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Connection:
keep-alive[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Www-Authenticate:
NTLM[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Date:
Thu, 16 Nov 2017 22:20:57 GMT[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Content-Length:
0[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "Via: 1.1
vegur[\r][\n]"
> 23:21:24,174 | wire                                | http-outgoing-0 << "[\r][\n]"
> 23:21:24,177 | headers                             | http-outgoing-0 << HTTP/1.1
401 Unauthorized
> 23:21:24,177 | headers                             | http-outgoing-0 << Connection:
keep-alive
> 23:21:24,178 | headers                             | http-outgoing-0 << Www-Authenticate:
NTLM
> 23:21:24,178 | headers                             | http-outgoing-0 << Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,178 | headers                             | http-outgoing-0 << Date: Thu,
16 Nov 2017 22:20:57 GMT
> 23:21:24,178 | headers                             | http-outgoing-0 << Content-Length:
0
> 23:21:24,178 | headers                             | http-outgoing-0 << Via: 1.1
vegur
> 23:21:24,181 | MainClientExec                      | Connection can be kept alive indefinitely
> 23:21:24,181 | HttpAuthenticator                   | Authentication required
> 23:21:24,183 | HttpAuthenticator                   | ntlm.herokuapp.com:443 requested
authentication
> 23:21:24,184 | TargetAuthenticationStrategy        | Authentication schemes in the order
of preference: [Negotiate, Kerberos, NTLM, Digest, Basic]
> 23:21:24,184 | TargetAuthenticationStrategy        | Challenge for Negotiate authentication
scheme not available
> 23:21:24,184 | TargetAuthenticationStrategy        | Challenge for Kerberos authentication
scheme not available
> 23:21:24,191 | TargetAuthenticationStrategy        | Challenge for Digest authentication
scheme not available
> 23:21:24,191 | TargetAuthenticationStrategy        | Challenge for Basic authentication
scheme not available
> 23:21:24,191 | HttpAuthenticator                   | Selected authentication options:
[NTLM]
> 23:21:24,192 | DefaultManagedHttpClientConnection  | http-outgoing-0: set socket timeout
to 10000
> 23:21:24,192 | MainClientExec                      | Executing request GET / HTTP/1.1
> 23:21:24,192 | MainClientExec                      | Target auth state: CHALLENGED
> 23:21:24,192 | HttpAuthenticator                   | Generating response to an authentication
challenge using ntlm scheme
> 23:21:24,192 | MainClientExec                      | Proxy auth state: UNCHALLENGED
> 23:21:24,192 | headers                             | http-outgoing-0 >> GET / HTTP/1.1
> 23:21:24,192 | headers                             | http-outgoing-0 >> Accept:
text/plain, */*
> 23:21:24,192 | headers                             | http-outgoing-0 >> Host: ntlm.herokuapp.com
> 23:21:24,192 | headers                             | http-outgoing-0 >> Connection:
Keep-Alive
> 23:21:24,192 | headers                             | http-outgoing-0 >> User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:24,192 | headers                             | http-outgoing-0 >> Accept-Encoding:
gzip,deflate
> 23:21:24,192 | headers                             | http-outgoing-0 >> Authorization:
NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==
> 23:21:24,193 | wire                                | http-outgoing-0 >> "GET /
HTTP/1.1[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "Accept:
text/plain, */*[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "Host:
ntlm.herokuapp.com[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "Authorization:
NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"
> 23:21:24,193 | wire                                | http-outgoing-0 >> "[\r][\n]"
> 23:21:24,367 | wire                                | http-outgoing-0 << "HTTP/1.1
401 Unauthorized [\r][\n]"
> 23:21:24,367 | wire                                | http-outgoing-0 << "Connection:
keep-alive[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "Www-Authenticate:
NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "Date:
Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "Content-Length:
0[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "Via: 1.1
vegur[\r][\n]"
> 23:21:24,368 | wire                                | http-outgoing-0 << "[\r][\n]"
> 23:21:24,368 | headers                             | http-outgoing-0 << HTTP/1.1
401 Unauthorized
> 23:21:24,368 | headers                             | http-outgoing-0 << Connection:
keep-alive
> 23:21:24,368 | headers                             | http-outgoing-0 << Www-Authenticate:
NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=
> 23:21:24,368 | headers                             | http-outgoing-0 << Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,368 | headers                             | http-outgoing-0 << Date: Thu,
16 Nov 2017 22:20:58 GMT
> 23:21:24,368 | headers                             | http-outgoing-0 << Content-Length:
0
> 23:21:24,369 | headers                             | http-outgoing-0 << Via: 1.1
vegur
> 23:21:24,369 | MainClientExec                      | Connection can be kept alive indefinitely
> 23:21:24,369 | HttpAuthenticator                   | Authentication required
> 23:21:24,369 | HttpAuthenticator                   | ntlm.herokuapp.com:443 requested
authentication
> 23:21:24,369 | HttpAuthenticator                   | Authorization challenge processed
> 23:21:24,369 | DefaultManagedHttpClientConnection  | http-outgoing-0: set socket timeout
to 10000
> 23:21:24,369 | MainClientExec                      | Executing request GET / HTTP/1.1
> 23:21:24,369 | MainClientExec                      | Target auth state: HANDSHAKE
> 23:21:24,370 | HttpAuthenticator                   | NTLM authentication error: NTLM
authentication - buffer too small for data item
> 23:21:24,370 | MainClientExec                      | Proxy auth state: UNCHALLENGED
> 23:21:24,371 | headers                             | http-outgoing-0 >> GET / HTTP/1.1
> 23:21:24,371 | headers                             | http-outgoing-0 >> Accept:
text/plain, */*
> 23:21:24,371 | headers                             | http-outgoing-0 >> Host: ntlm.herokuapp.com
> 23:21:24,371 | headers                             | http-outgoing-0 >> Connection:
Keep-Alive
> 23:21:24,371 | headers                             | http-outgoing-0 >> User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:24,371 | headers                             | http-outgoing-0 >> Accept-Encoding:
gzip,deflate
> 23:21:24,371 | wire                                | http-outgoing-0 >> "GET /
HTTP/1.1[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "Accept:
text/plain, */*[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "Host:
ntlm.herokuapp.com[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
> 23:21:24,371 | wire                                | http-outgoing-0 >> "[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "HTTP/1.1
401 Unauthorized [\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Connection:
keep-alive[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Www-Authenticate:
NTLM[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Date:
Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Content-Length:
0[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "Via: 1.1
vegur[\r][\n]"
> 23:21:24,562 | wire                                | http-outgoing-0 << "[\r][\n]"
> 23:21:24,562 | headers                             | http-outgoing-0 << HTTP/1.1
401 Unauthorized
> 23:21:24,562 | headers                             | http-outgoing-0 << Connection:
keep-alive
> 23:21:24,563 | headers                             | http-outgoing-0 << Www-Authenticate:
NTLM
> 23:21:24,563 | headers                             | http-outgoing-0 << Server:
WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,563 | headers                             | http-outgoing-0 << Date: Thu,
16 Nov 2017 22:20:58 GMT
> 23:21:24,563 | headers                             | http-outgoing-0 << Content-Length:
0
> 23:21:24,563 | headers                             | http-outgoing-0 << Via: 1.1
vegur
> 23:21:24,563 | MainClientExec                      | Connection can be kept alive indefinitely
> 23:21:24,563 | HttpAuthenticator                   | Authentication required
> 23:21:24,563 | HttpAuthenticator                   | ntlm.herokuapp.com:443 requested
authentication
> 23:21:24,563 | HttpAuthenticator                   | Authorization challenge processed
> 23:21:24,563 | HttpAuthenticator                   | Authentication failed
> 23:21:24,563 | PoolingHttpClientConnectionManager  | Connection [id: 0][route: {s}->https://ntlm.herokuapp.com:443]
can be kept alive indefinitely
> 23:21:24,563 | PoolingHttpClientConnectionManager  | Connection released: [id: 0][route:
{s}->https://ntlm.herokuapp.com:443][total kept alive: 1; route allocated: 1 of 24; total
allocated: 1 of 128]
> 23:21:24,568 | RestTemplate                        | GET request for "https://ntlm.herokuapp.com"
resulted in 401 (Unauthorized); invoking error handler
> 23:21:24,571 | NtlmPrototype                       | Request failed
> org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
> 	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> 	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)
~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> 	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> 	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> 	at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> 	at NtlmPrototype.issueGetRequest(NtlmPrototype.java:50) [classes/:?]
> 	at NtlmPrototype.main(NtlmPrototype.java:32) [classes/:?]
> {noformat}
> h3. Test application
> - use attached ZIP or download from https://frightanic.com/misc/msr-ntlm-prototype.zip
(26.7KB)
> - unzip
> - $ mvn package
> - $ java -jar target/ntlm-prototype-1.0-SNAPSHOT.jar https://ntlm.herokuapp.com user
pass domain



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message