hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pedro Saraiva <psara...@maisis.pt>
Subject Re: SPNEGO and NTLMv2
Date Wed, 06 Jun 2012 10:39:04 GMT
Hello,

I don't think the browser is guessing, it's how the SPNEGO from 
Microsoft works.

Using the code you provided with a slight modification:

public void process(
             HttpResponse response,
             HttpContext context) throws HttpException, IOException {
         if (response.getStatusLine().getStatusCode() == 401) {
             Header ua = response.getFirstHeader("X-Powered-By");
             if (ua != null&&  ua.getValue()
              .equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
                 Header challenge = response.getFirstHeader(
                   AUTH.WWW_AUTH);
                 if (challenge != null&&  challenge.getValue()
                   .equalsIgnoreCase("Negotiate")) {
                     response.setHeader(AUTH.WWW_AUTH,
                      "Negotiate");
		    response.addHeader(AUTH.WWW_AUTH,
		     "NTLM");
		 }
             }
         }
     }

The server outputs:  Unsupported security package: NTLM. That's because 
it's configured to not support NTLMv1.

Analysing the packets httpclient versus browser the difference seems to 
be in the authorization header:
- HttpClient: Authorization: NTLM TlRMTVNT...
- Browser: Authorization: Negotiate TlRMTVNT...

Kind regards,

Pedro Saraiva

Em 05-06-2012 20:53, Oleg Kalnichevski escreveu:
> On Tue, 2012-06-05 at 16:03 +0100, Pedro Saraiva wrote:
>> Hi,
>>
>> The server sends only Negotiate, but the negotiable sub-mechanisms
>> include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
>> Negotiate: the server and the client can agree uppon a supported
>> mechanism by both.
>> In attachment goes a screenshot of wireshark that shows the packets sent
>> during a session between a browser and the server.
>> As you can see the server sends a Unauthorized with only
>> WWW-Authenticate: Negotiate. Then the browser starts the negotiation
>> with the server using NTLMv2.
>>
>> Kind regards,
>>
>> Pedro Saraiva
>>
> Pedro
>
> HttpClient is not a browser and is not supposed to do any guessing. The
> server is clearly misbehaving by not including NTLM in the challenge
> while still accepting NTLM as a valid authentication scheme.
>
> There are several ways you can force HttpClient to use NTLM instead of
> or in addition to SPNEGO.
>
> (1) by forcing NTLM auth scheme to be used in response to SPNEGO
> challenge
>
> ---
> DefaultHttpClient httpclient = new DefaultHttpClient();
> httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO,
>    new NTLMSchemeFactory());
> ---
>
> (2) by rewriting the auth challenge header
>
> ---
> DefaultHttpClient httpclient = new DefaultHttpClient();
> httpclient.addResponseInterceptor(new HttpResponseInterceptor() {
>
>      public void process(
>              HttpResponse response,
>              HttpContext context) throws HttpException, IOException {
>          if (response.getStatusLine().getStatusCode() == 401) {
>              Header ua = response.getFirstHeader("X-Powered-By");
>              if (ua != null&&  ua.getValue()
>               .equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
>                  Header challenge = response.getFirstHeader(
>                    AUTH.WWW_AUTH);
>                  if (challenge != null&&  challenge.getValue()
>                    .equalsIgnoreCase("Negotiate")) {
>                      response.setHeader(AUTH.WWW_AUTH,
>                       "Negotiate, NTLM");
>                  }
>              }
>          }
>      }
> });
> ---
>
> Hope this helps
>
> Oleg
>
>> Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
>>> On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
>>>> Hi Oleg,
>>>>
>>>> Here's the session log from the code I posted earlier:
>>>>
>>>> executing request: GET /services/files/ HTTP/1.1
>>>> to target: http://172.27.192.171:8080
>>>> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
>>>> connection for route {}->http://172.27.192.171:8080
>>>> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
>>>> Connecting to 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
>>>> selected: best-match
>>>> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
>>>> set in the context
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
>>>> Target auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
>>>> auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
>>>> execute request
>>>> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
>>>> request: GET /services/files/ HTTP/1.1
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->>   GET /services/files/
>>>> HTTP/1.1
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->>   Host: 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->>   Connection: Keep-Alive
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->>   User-Agent:
>>>> Apache-HttpClient/4.2 (java 1.5)
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
>>>> response: HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<<   HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<<   Server: Apache-Coyote/1.1
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   X-Powered-By:
>>>> Servlet/3.0; JBossAS-6
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   WWW-Authenticate:
>>>> Negotiate
>>> Well, as you can see the server has been configured to support SPNEGO
>>> only. NTLM is not include in the authentication challenge as a supported
>>> option.
>>>
>>> Oleg
>>>
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   Connection: keep-alive
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   Content-Type:
>>>> text/html;charset=utf-8
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   Content-Length:
952
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<<   Date: Tue, 05 Jun
2012
>>>> 14:14:50 GMT
>>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
>>>> be kept alive indefinitely
>>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
>>>> 172.27.192.171:8080 requested authentication
>>>> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Authentication schemes in the order of preference: [negotiate, Kerberos,
>>>> NTLM, Digest, Basic]
>>>> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
>>>> '' from the auth server
>>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Kerberos authentication scheme not available
>>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for NTLM authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Digest authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Basic authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
>>>> authentication options: [NEGOTIATE]
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
>>>> selected: best-match
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
>>>> set in the context
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>>>> Target auth state: CHALLENGED
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>>>> Generating response to an authentication challenge using Negotiate scheme
>>>> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
>>>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>>>> level: No valid credentials provided (Mechanism level: Failed to find
>>>> any Kerberos tgt))
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
>>>> auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
>>>> execute request
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
>>>> request: GET /services/files/ HTTP/1.1
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->>   GET /services/files/
>>>> HTTP/1.1
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->>   Host: 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->>   Connection: Keep-Alive
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->>   User-Agent:
>>>> Apache-HttpClient/4.2 (java 1.5)
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
>>>> response: HTTP/1.1 401 Unauthorized
>>>> ----------------------------------------
>>>> HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<<   HTTP/1.1 401 Unauthorized
>>>> Response content length: 952
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<<   Server: Apache-Coyote/1.1
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<<   X-Powered-By:
>>>> Servlet/3.0; JBossAS-6
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<<   WWW-Authenticate:
>>>> Negotiate
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<<   Connection: keep-alive
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<<   Content-Type:
>>>> text/html;charset=utf-8
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<<   Content-Length:
952
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<<   Date: Tue, 05 Jun
2012
>>>> 14:14:50 GMT
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
>>>> be kept alive indefinitely
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
>>>> 172.27.192.171:8080 requested authentication
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
>>>> challenge processed
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
>>>> '' from the auth server
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
>>>> already attempted
>>>> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
>>>> failed
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>>>> Releasing connection
>>>> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>>>> Connection can be kept alive indefinitely
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
>>>> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
>>>>
>>>> Kind regards,
>>>> Pedro Saraiva
>>>>
>>>> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
>>>>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have a site protected with SPNEGO. The authentication can be performed
>>>>>> with both Kerberos and NTLMv2.
>>>>>>
>>>>>> I'm trying to use HttpClient 4.2 to authenticate against this site
>>>>>> through NTLMv2 but without success so far. Here's my sample code:
>>>>>>
>>>>>>             HttpHost targetHost = new HttpHost("172.27.192.171",
8080, "http");
>>>>>>
>>>>>>             DefaultHttpClient httpclient = new DefaultHttpClient();
>>>>>>
>>>>>>             try {
>>>>>>                 httpclient.getCredentialsProvider().setCredentials(
>>>>>>                         new AuthScope(targetHost.getHostName(),
>>>>>> targetHost.getPort()),
>>>>>>                         new NTCredentials("psaraiva", "psaraiva",
>>>>>> InetAddress.getLocalHost().getHostName(), "DEV"));
>>>>>>                         //new UsernamePasswordCredentials("psaraiva",
>>>>>> "psaraiva" ));
>>>>>>
>>>>>>                 // Create AuthCache instance
>>>>>>                 AuthCache authCache = new BasicAuthCache();
>>>>>>                 // Generate BASIC scheme object and add it to the
local
>>>>>>                 // auth cache
>>>>>>                 BasicScheme basicAuth = new BasicScheme();
>>>>>>                 authCache.put(targetHost, basicAuth);
>>>>>>
>>>>>>                 // Add AuthCache to the execution context
>>>>>>                 BasicHttpContext localcontext = new BasicHttpContext();
>>>>>>                 localcontext.setAttribute(ClientContext.AUTH_CACHE,
authCache);
>>>>>>
>>>>>>                 HttpGet httpget = new HttpGet("/services/files/");
>>>>>>
>>>>>>                 System.out.println("executing request: " +
>>>>>> httpget.getRequestLine());
>>>>>>                 System.out.println("to target: " + targetHost);
>>>>>>
>>>>>>                 HttpResponse response = httpclient.execute(targetHost,
>>>>>> httpget);//, localcontext);
>>>>>>                 HttpEntity entity = response.getEntity();
>>>>>>
>>>>>>
>>>>>> System.out.println("----------------------------------------");
>>>>>>                  System.out.println(response.getStatusLine());
>>>>>>                   if (entity != null) {
>>>>>>                       System.out.println("Response content length:
" +
>>>>>> entity.getContentLength());
>>>>>>                   }
>>>>>>                   EntityUtils.consume(entity);
>>>>>>
>>>>>>             } finally {
>>>>>>                 // When HttpClient instance is no longer needed,
>>>>>>                 // shut down the connection manager to ensure
>>>>>>                 // immediate deallocation of all system resources
>>>>>>                 httpclient.getConnectionManager().shutdown();
>>>>>>             }
>>>>>>
>>>>>> HttpClient seems to only try the Kerberos authentication and outputs
the
>>>>>> following warning:
>>>>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
>>>>>> authentication error: No valid credentials provided (Mechanism level:
No
>>>>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
>>>>>> tgt))
>>>>>>
>>>>>> However, I want it to force it to use NTLMv2. From the HttpClient
NTLM
>>>>>> auth page it states that NTLMv2 is supported since version 4.1.
>>>>>>
>>>>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
>>>>>> configuration that's causing it not to use NTLMv2?
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> Pedro Saraiva
>>>>>>
>>>>> Hi Pedro
>>>>>
>>>>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
>>>>> 4.2 should have automatically attempted to authenticate with NTLM after
>>>>> SPNEGO failure.
>>>>>
>>>>> Could you please post a complete wire log of the HTTP session?
>>>>>
>>>>> http://hc.apache.org/httpcomponents-client-ga/logging.html
>>>>>
>>>>> Oleg
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message