hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: domain argument in AuthScope constructor ineffective for NTLM
Date Thu, 29 Nov 2007 11:11:01 GMT

On Mon, 2007-11-26 at 00:13 +0530, Mubey N. wrote:
> I am doing NTLM authentication. There are multiple domains on the same
> URL.

My knowledge of Microsoft stuff got somewhat rusty but I believe in
Microsoft a host _always_ belongs to just one domain. The domain
controller may delegate the authentication process to another trusted
domain, but a user is meant to have only one set of credentials _per_
host. So, in Microsoft world authentication realms as defined by the
HTTP spec effectively are meaningless.

>  So, I am setting different credentials for different auth-scopes
> using a code as shown below.
> 
>     AuthScope scope = new AuthScope(url.getHost(), port, domain);
>     NTCredentials credentials = new NTCredentials(user, pass,
>         clientHost, domain);
>     httpclient.getState().setCredentials(scope, credentials);
> 

An NTLM domain and an authentication realm are completely different
things. For NTLM the realm should always be null <any>. 

> I have repeated this code a few times to set different credentials for
> different domains. In NTLM type 2 response from the server, the server
> sends the NTLM domain it expects for authentication.
> 
> However, I find that the httpclient pays no heed to the domain name
> specified in NTLM type 2 response. It simply goes ahead with
> authentication with an arbitrary credentials. Is this an expected
> behavior?
> 

Yes, it is. We offer only very limited support for NTLM authentication. 

> Does setting domain as the third argument of AuthScope(.., .., domain)
> constructor has no effect?
> 

Yes.

Oleg


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message