On Tue, Nov 15, 2011 at 11:59 PM, Sergey Beryozkin <sberyoz...@gmail.com>wrote:
> Hi > > > On 15/11/11 23:09, Lucas Madar wrote: > >> I have an application that runs fine on a linux machine using CXF to >> access >> a service on a windows IIS server via REST. I am not in control of this >> server or the way things are implemented on it. Parts of the service are >> secured via windows authentication, and accessing them gives a 401 >> (forbidden) error. This is great and the intended behavior. >> >> When i run the application on a Windows machine, the windows machine >> attempts to negotiate NTLM for SSO. This is not desirable in this >> situation. Is there any way to disable NTLM? >> >> > As far as CXF is concerned, you can make it participate in the NTLM flow, > Christian added this section: > http://cxf.apache.org/docs/**client-http-transport-** > including-ssl-support.html#**ClientHTTPTransport%** > 28includingSSLsupport%29-**NTLMAuthentication<http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-NTLMAuthentication> > > Christian, is that section assumes that a client is running on Windows ? > It appears it may do on Linux too > > Cheers, Sergey > >From the link: On Java 6, NTLM authentication is built into the Java runtime and you don't need to do anything special. That's exactly what I *don't* want. I want to turn *OFF* NTLM authentication. However, I've determined that this isn't easily doable, as it's built deep into the belly of the sun.net.www.protocol.http version of HttpUrlConnection. But I came up with an overly complex and technical solution, in case anyone else is ever in my situation: I found a way to do this that works in sun java 1.6.24+ by subclassing sun.net.www.protocol.http.NTLMAuthenticationCallback and making isTrustedSite(URL) always return false. Then I used NTLMAuthenticationCallback.setNTLMAuthenticationCallback() with an instance. In sun java 1.6.23 and prior, NTLM SSO isn't automatic, so there's no problem (and this class doesn't exist). In 1.7.x, it looks like the class has been moved to sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback. I had to write something that dynamically loads and then dynamically subclasses that class (ugh) using cglib/asm (I'd be willing to provide source if you e-mail me privately), as it needs to compile on any of these platforms as well. If anyone knows of a better way to do this, I'd love to know. It seems strange to let outgoing connections from a servlet container on the windows platform allow NTLM authentication against the user tomcat is running as. Lucas
