hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: SV: NTLM proxy authentication
Date Tue, 20 Mar 2012 21:16:56 GMT
On Tue, 2012-03-20 at 15:26 +0000, Thomas Vestergaard wrote:
> Hi,
> 
> Just to follow up, I got NTLM proxy to work - atleast partly by using JCIFS as described
on: http://hc.apache.org/httpcomponents-client-ga/ntlm.html
> 

Unfortunately the default NTLM implementation shipped with HttpClient is
not particularly great. As long as you do not mind using LGPL licensed
software JCIFS is the way to go.

Oleg  

> However, I still have a number of use-cases, where my implementation fails. From what
I can gather from the logs, it has to do with missing proxy auth of redirects. (See below.)
> 
> I there something I need to set or override to enable authentication on each connection
rather than request?
> Or is it possible to prevent the client from closing the connection between the two GET's?
(Regardless of this problem, it seems wasteful. But I might be mistaken.)
> 
> Best regards,
> Thomas
> 
> [snip - initial GET resulting in 307 Temporary Redirect]
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1
307 Temporary Redirect
> DEBUG [org.apache.http.headers] << HTTP/1.1 307 Temporary Redirect
> DEBUG [org.apache.http.headers] << Accept-Ranges: bytes
> DEBUG [org.apache.http.headers] << Age: 0
> DEBUG [org.apache.http.headers] << Content-Type: application/xml
> DEBUG [org.apache.http.headers] << Date: Tue, 20 Mar 2012 14:51:56 GMT
> DEBUG [org.apache.http.headers] << Location: https://partner.com/users/42/info?apiuserid=TNDK
> DEBUG [org.apache.http.headers] << Server: Jetty(8.0.0.M2)
> DEBUG [org.apache.http.headers] << Via: 1.1 varnish
> DEBUG [org.apache.http.headers] << X-Varnish: 1790574415
> DEBUG [org.apache.http.headers] << Content-Length: 0
> DEBUG [org.apache.http.headers] << Connection: keep-alive
> DEBUG [org.apache.http.client.protocol.ResponseAuthCache] Caching 'basic' auth scheme
for https://partner.com
> DEBUG [org.apache.http.impl.client.DefaultRedirectStrategy] Redirect requested to location
'https://partner.com/id/users/42/info?apiuserid=TNDK'
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Redirecting to 'https://partner.com/id/users/42/info?apiuserid=TNDK'
via HttpRoute[{tls}->http://tmgproxy.telenor.dk:8080->https://partner.com]
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection closed
> DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.client.protocol.RequestAuthCache] Re-using cached 'ntlm' auth
scheme for http://tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: CONNECT partner.com:443
HTTP/1.1
> DEBUG [org.apache.http.headers] >> CONNECT partner.com:443 HTTP/1.1
> DEBUG [org.apache.http.headers] >> Host: partner.com
> DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java 1.5)
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1
407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request.
Access to the Web Proxy filter is denied.  )
> DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required (
Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter
is denied.  )
> DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM
> DEBUG [org.apache.http.headers] << Connection: close
> DEBUG [org.apache.http.headers] << Proxy-Connection: close
> DEBUG [org.apache.http.headers] << Pragma: no-cache
> DEBUG [org.apache.http.headers] << Cache-Control: no-cache
> DEBUG [org.apache.http.headers] << Content-Type: text/html
> DEBUG [org.apache.http.headers] << Content-Length: 2687  
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested authentication
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge processed
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: NTLM <any
realm>@tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication failed
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection closed
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] CONNECT refused by proxy: HTTP/1.1
407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request.
Access to the Web Proxy filter is denied.  )
> DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@1f78040
> 
> 
> 
> -----Oprindelig meddelelse-----
> Fra: Thomas Vestergaard [mailto:CGETHVE@telenor.dk] 
> Sendt: 20. marts 2012 13:35
> Til: httpclient-users@hc.apache.org
> Emne: NTLM proxy authentication
> 
> Hello,
> 
> I am having a problem with getting HttpClient to send requests through a proxy demanding
NTLM authentication, which I understand should be possible.
> 
> My code for trying to accomplish this:
> Credentials credentials;
> try {
>            credentials = new NTCredentials(proxyUsername, proxyPassword, InetAddress.getLocalHost().getHostName(),
proxyDomain);
> } catch (Exception e) {
>            throw new SessionException("Unable to create NTLM credentials for proxy authentication",
e);
> }
> client.getCredentialsProvider().setCredentials(new AuthScope(proxyHostname, proxyPort),
credentials);
> 
> HttpHost proxyHost = new HttpHost(proxyHostname, proxyPort);
> client.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxyHost);
> 
> AuthScheme proxyAuthScheme = new NTLMSchemeFactory().newInstance(client.getParams());
> authCache.put(proxyHost, proxyAuthScheme);
> 
> But I am apparently missing something, since it does not work.
> 
> The authCache is later added to the context used in the execute call. Without this, I
get an error about missing an ini-file - looks like an attempt to use Kerberos.
> The full log of the interaction is pasted below. As can also be seen in the log, I am
using HttpClient v. 4.1.3.
> 
>  Best regards,
> Telenor
> 
> Thomas Vestergaard
> Ekstern konsulent
> Technology
> Frederikskaj, DK-1780. KĂžbenhavn V
> Tel: +45 52 18 92 18  // e-mail: cgethve@telenor.dk<mailto:cgethve@telenor.dk>
> Web: http://www.telenor.dk<http://www.telenor.dk/>
> 
> DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Get connection for route HttpRoute[{}->http://tmgproxy.telenor.dk:8080->http://hc.apache.org:80]
> DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
> DEBUG [org.apache.http.client.protocol.RequestAuthCache] Re-using cached 'ntlm' auth
scheme for http://tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 1 to execute request
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80
> DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java 1.5)
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1
407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request.
Access to the Web Proxy filter is denied.  )
> DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required (
Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter
is denied.  )
> DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM
> DEBUG [org.apache.http.headers] << Connection: Keep-Alive
> DEBUG [org.apache.http.headers] << Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] << Pragma: no-cache
> DEBUG [org.apache.http.headers] << Cache-Control: no-cache
> DEBUG [org.apache.http.headers] << Content-Type: text/html
> DEBUG [org.apache.http.headers] << Content-Length: 3670
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Connection can be kept alive indefinitely
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested authentication
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge processed
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: NTLM <any
realm>@tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 2 to execute request
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80
> DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java 1.5)
> DEBUG [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAABAAAANQIIIAwADAA8AAAAHAAcACAAAABYAFAARgBFAFAAQwBDAEcARQBUAEgAVgBFAFQAUwBPAE4ARgBPAE4A
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1
407 Proxy Authentication Required ( Access is denied.  )
> DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required (
Access is denied.  )
> DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAFgAWADgAAAA1Aoki1+rF8hsocI8AAAAAAAAAALQAtABOAAAABgGxHQAAAA9TAE8ATgBPAEYATwBOAC4ARABPAE0AAgAWAFMATwBOAE8ARgBPAE4ALgBEAE8ATQABABIASQBWAEEAQgBUAE0ARwAwADIABAAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawADADAASQBWAEEAQgBUAE0ARwAwADIALgBpAG4AdAAuAHMAbwBuAG8AZgBvAG4ALgBkAGsABQAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawAHAAgAFOT4DpUGzQEAAAAA
> DEBUG [org.apache.http.headers] << Connection: Keep-Alive
> DEBUG [org.apache.http.headers] << Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] << Pragma: no-cache
> DEBUG [org.apache.http.headers] << Cache-Control: no-cache
> DEBUG [org.apache.http.headers] << Content-Type: text/html
> DEBUG [org.apache.http.headers] << Content-Length: 0
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Connection can be kept alive indefinitely
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested authentication
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge processed
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: NTLM <any
realm>@tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 3 to execute request
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> GET http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html
HTTP/1.1
> DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80
> DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
> DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java 1.5)
> DEBUG [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADgAOAAWAAAAAwADAA4AQAADgAOAEQBAAAcABwAUgEAAAAAAABuAQAANQIIILz16v88ObGIAyJRwplRA1RHf5V7zloNVnfwJnYZbsCj/uvqTyxBJbgBAQAAAAAAADDtlQ+VBs0BR3+Ve85aDVYAAAAAAgAWAFMATwBOAE8ARgBPAE4ALgBEAE8ATQABABIASQBWAEEAQgBUAE0ARwAwADIABAAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawADADAASQBWAEEAQgBUAE0ARwAwADIALgBpAG4AdAAuAHMAbwBuAG8AZgBvAG4ALgBkAGsABQAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawAHAAgAFOT4DpUGzQEAAAAAUwBPAE4ARgBPAE4AYwBnAGUAdABoAHYAZQBYAFAARgBFAFAAQwBDAEcARQBUAEgAVgBFAFQA
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1
407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request.
Access to the Web Proxy filter is denied.  )
> DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required (
Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter
is denied.  )
> DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos
> DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM
> DEBUG [org.apache.http.headers] << Connection: close
> DEBUG [org.apache.http.headers] << Proxy-Connection: close
> DEBUG [org.apache.http.headers] << Pragma: no-cache
> DEBUG [org.apache.http.headers] << Cache-Control: no-cache
> DEBUG [org.apache.http.headers] << Content-Type: text/html
> DEBUG [org.apache.http.headers] << Content-Length: 3670
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested authentication
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge processed
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: NTLM <any
realm>@tmgproxy.telenor.dk:8080
> DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication failed
> DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@a9ae05
> DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Released connection open but
not reusable.
> DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection shut down
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message