[
https://issues.apache.org/jira/browse/HTTPCLIENT-1881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Wright updated HTTPCLIENT-1881:
------------------------------------
Attachment: HTTPCLIENT-1881.patch
Here's the patch to apply.
> NTLM authentication against ntlm.herokuapp.com
> ----------------------------------------------
>
> Key: HTTPCLIENT-1881
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1881
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.3
> Reporter: Marcel Stör
> Assignee: Karl Wright
> Labels: authentication, ntlm
> Attachments: HTTPCLIENT-1881.patch, msr-ntlm-prototype.zip
>
>
> I'm prototyping NTLM authentication with your 4.5 HTTP client and Spring
> RestTemplate. This currently fails with a
> {{org.apache.http.impl.auth.NTLMEngineException}} "NTLM authentication error:
> NTLM authentication - buffer too small for data item".
> The code, wire log (below) and a simple standalone test application
> (attached) are included.
> h2. Code
> {code:java}
> RestTemplate restTemplate = new RestTemplate();
> restTemplate.setRequestFactory(buildHttpComponentsClientHttpRequestFactory(args));
> private static HttpComponentsClientHttpRequestFactory
> buildHttpComponentsClientHttpRequestFactory(String[] args) {
> PoolingHttpClientConnectionManager cm = new
> PoolingHttpClientConnectionManager();
> cm.setMaxTotal(128);
> cm.setDefaultMaxPerRoute(24);
> RequestConfig.Builder requestBuilder =
> RequestConfig.custom().setConnectTimeout(5000).setSocketTimeout(10000);
> Registry<AuthSchemeProvider> authSchemeRegistry =
> RegistryBuilder.<AuthSchemeProvider>create()
> .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
> .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
> CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
> credentialsProvider.setCredentials(AuthScope.ANY, new
> NTCredentials(args[1], args[2], null, args[3]));
> HttpClientBuilder builder = HttpClientBuilder.create()
> .setConnectionManager(cm)
> .setDefaultRequestConfig(requestBuilder.build())
> .setDefaultAuthSchemeRegistry(authSchemeRegistry)
> .setDefaultCredentialsProvider(credentialsProvider);
> return new HttpComponentsClientHttpRequestFactory(builder.build());
> }
> {code}
> h2. Wire log
> {noformat}
> 23:21:22,983 | RestTemplate | Created GET request for
> "https://ntlm.herokuapp.com";
> 23:21:22,987 | RestTemplate | Setting request Accept
> header to [text/plain, */*]
> 23:21:22,997 | RequestAddCookies | CookieSpec selected:
> default
> 23:21:23,006 | RequestAuthCache | Auth cache not set in
> the context
> 23:21:23,007 | PoolingHttpClientConnectionManager | Connection request:
> [route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route
> allocated: 0 of 24; total allocated: 0 of 128]
> 23:21:23,029 | PoolingHttpClientConnectionManager | Connection leased: [id:
> 0][route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route
> allocated: 1 of 24; total allocated: 1 of 128]
> 23:21:23,031 | MainClientExec | Opening connection
> {s}->https://ntlm.herokuapp.com:443
> 23:21:23,299 | DefaultHttpClientConnectionOperator | Connecting to
> ntlm.herokuapp.com/54.235.146.123:443
> 23:21:23,299 | SSLConnectionSocketFactory | Connecting socket to
> ntlm.herokuapp.com/54.235.146.123:443 with timeout 5000
> 23:21:23,581 | SSLConnectionSocketFactory | Enabled protocols:
> [TLSv1, TLSv1.1, TLSv1.2]
> 23:21:23,582 | SSLConnectionSocketFactory | Enabled cipher
> suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> 23:21:23,582 | SSLConnectionSocketFactory | Starting handshake
> 23:21:23,989 | SSLConnectionSocketFactory | Secure session
> established
> 23:21:23,989 | SSLConnectionSocketFactory | negotiated protocol:
> TLSv1.2
> 23:21:23,989 | SSLConnectionSocketFactory | negotiated cipher
> suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 23:21:23,990 | SSLConnectionSocketFactory | peer principal:
> CN=*.herokuapp.com, O="Heroku, Inc.", L=San Francisco, ST=California, C=US
> 23:21:23,990 | SSLConnectionSocketFactory | peer alternative names:
> [*.herokuapp.com, herokuapp.com]
> 23:21:23,990 | SSLConnectionSocketFactory | issuer principal:
> CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert
> Inc, C=US
> 23:21:23,994 | DefaultHttpClientConnectionOperator | Connection established
> 172.19.1.229:63526<->54.235.146.123:443
> 23:21:23,994 | DefaultManagedHttpClientConnection | http-outgoing-0: set
> socket timeout to 10000
> 23:21:23,994 | MainClientExec | Executing request GET /
> HTTP/1.1
> 23:21:23,995 | MainClientExec | Target auth state:
> UNCHALLENGED
> 23:21:23,995 | MainClientExec | Proxy auth state:
> UNCHALLENGED
> 23:21:23,996 | headers | http-outgoing-0 >> GET /
> HTTP/1.1
> 23:21:23,996 | headers | http-outgoing-0 >>
> Accept: text/plain, */*
> 23:21:23,996 | headers | http-outgoing-0 >> Host:
> ntlm.herokuapp.com
> 23:21:23,996 | headers | http-outgoing-0 >>
> Connection: Keep-Alive
> 23:21:23,996 | headers | http-outgoing-0 >>
> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:23,996 | headers | http-outgoing-0 >>
> Accept-Encoding: gzip,deflate
> 23:21:23,996 | wire | http-outgoing-0 >> "GET
> / HTTP/1.1[\r][\n]"
> 23:21:23,996 | wire | http-outgoing-0 >>
> "Accept: text/plain, */*[\r][\n]"
> 23:21:23,997 | wire | http-outgoing-0 >>
> "Host: ntlm.herokuapp.com[\r][\n]"
> 23:21:23,997 | wire | http-outgoing-0 >>
> "Connection: Keep-Alive[\r][\n]"
> 23:21:23,997 | wire | http-outgoing-0 >>
> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:23,997 | wire | http-outgoing-0 >>
> "Accept-Encoding: gzip,deflate[\r][\n]"
> 23:21:23,997 | wire | http-outgoing-0 >>
> "[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "HTTP/1.1 401 Unauthorized [\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "Connection: keep-alive[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "Www-Authenticate: NTLM[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "Date: Thu, 16 Nov 2017 22:20:57 GMT[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "Content-Length: 0[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 << "Via:
> 1.1 vegur[\r][\n]"
> 23:21:24,174 | wire | http-outgoing-0 <<
> "[\r][\n]"
> 23:21:24,177 | headers | http-outgoing-0 <<
> HTTP/1.1 401 Unauthorized
> 23:21:24,177 | headers | http-outgoing-0 <<
> Connection: keep-alive
> 23:21:24,178 | headers | http-outgoing-0 <<
> Www-Authenticate: NTLM
> 23:21:24,178 | headers | http-outgoing-0 <<
> Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,178 | headers | http-outgoing-0 << Date:
> Thu, 16 Nov 2017 22:20:57 GMT
> 23:21:24,178 | headers | http-outgoing-0 <<
> Content-Length: 0
> 23:21:24,178 | headers | http-outgoing-0 << Via:
> 1.1 vegur
> 23:21:24,181 | MainClientExec | Connection can be kept
> alive indefinitely
> 23:21:24,181 | HttpAuthenticator | Authentication required
> 23:21:24,183 | HttpAuthenticator | ntlm.herokuapp.com:443
> requested authentication
> 23:21:24,184 | TargetAuthenticationStrategy | Authentication schemes
> in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic]
> 23:21:24,184 | TargetAuthenticationStrategy | Challenge for Negotiate
> authentication scheme not available
> 23:21:24,184 | TargetAuthenticationStrategy | Challenge for Kerberos
> authentication scheme not available
> 23:21:24,191 | TargetAuthenticationStrategy | Challenge for Digest
> authentication scheme not available
> 23:21:24,191 | TargetAuthenticationStrategy | Challenge for Basic
> authentication scheme not available
> 23:21:24,191 | HttpAuthenticator | Selected authentication
> options: [NTLM]
> 23:21:24,192 | DefaultManagedHttpClientConnection | http-outgoing-0: set
> socket timeout to 10000
> 23:21:24,192 | MainClientExec | Executing request GET /
> HTTP/1.1
> 23:21:24,192 | MainClientExec | Target auth state:
> CHALLENGED
> 23:21:24,192 | HttpAuthenticator | Generating response to
> an authentication challenge using ntlm scheme
> 23:21:24,192 | MainClientExec | Proxy auth state:
> UNCHALLENGED
> 23:21:24,192 | headers | http-outgoing-0 >> GET /
> HTTP/1.1
> 23:21:24,192 | headers | http-outgoing-0 >>
> Accept: text/plain, */*
> 23:21:24,192 | headers | http-outgoing-0 >> Host:
> ntlm.herokuapp.com
> 23:21:24,192 | headers | http-outgoing-0 >>
> Connection: Keep-Alive
> 23:21:24,192 | headers | http-outgoing-0 >>
> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:24,192 | headers | http-outgoing-0 >>
> Accept-Encoding: gzip,deflate
> 23:21:24,192 | headers | http-outgoing-0 >>
> Authorization: NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==
> 23:21:24,193 | wire | http-outgoing-0 >> "GET
> / HTTP/1.1[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "Accept: text/plain, */*[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "Host: ntlm.herokuapp.com[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "Connection: Keep-Alive[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "Accept-Encoding: gzip,deflate[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "Authorization: NTLM
> TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"
> 23:21:24,193 | wire | http-outgoing-0 >>
> "[\r][\n]"
> 23:21:24,367 | wire | http-outgoing-0 <<
> "HTTP/1.1 401 Unauthorized [\r][\n]"
> 23:21:24,367 | wire | http-outgoing-0 <<
> "Connection: keep-alive[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 <<
> "Www-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 <<
> "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 <<
> "Date: Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 <<
> "Content-Length: 0[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 << "Via:
> 1.1 vegur[\r][\n]"
> 23:21:24,368 | wire | http-outgoing-0 <<
> "[\r][\n]"
> 23:21:24,368 | headers | http-outgoing-0 <<
> HTTP/1.1 401 Unauthorized
> 23:21:24,368 | headers | http-outgoing-0 <<
> Connection: keep-alive
> 23:21:24,368 | headers | http-outgoing-0 <<
> Www-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=
> 23:21:24,368 | headers | http-outgoing-0 <<
> Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,368 | headers | http-outgoing-0 << Date:
> Thu, 16 Nov 2017 22:20:58 GMT
> 23:21:24,368 | headers | http-outgoing-0 <<
> Content-Length: 0
> 23:21:24,369 | headers | http-outgoing-0 << Via:
> 1.1 vegur
> 23:21:24,369 | MainClientExec | Connection can be kept
> alive indefinitely
> 23:21:24,369 | HttpAuthenticator | Authentication required
> 23:21:24,369 | HttpAuthenticator | ntlm.herokuapp.com:443
> requested authentication
> 23:21:24,369 | HttpAuthenticator | Authorization challenge
> processed
> 23:21:24,369 | DefaultManagedHttpClientConnection | http-outgoing-0: set
> socket timeout to 10000
> 23:21:24,369 | MainClientExec | Executing request GET /
> HTTP/1.1
> 23:21:24,369 | MainClientExec | Target auth state:
> HANDSHAKE
> 23:21:24,370 | HttpAuthenticator | NTLM authentication
> error: NTLM authentication - buffer too small for data item
> 23:21:24,370 | MainClientExec | Proxy auth state:
> UNCHALLENGED
> 23:21:24,371 | headers | http-outgoing-0 >> GET /
> HTTP/1.1
> 23:21:24,371 | headers | http-outgoing-0 >>
> Accept: text/plain, */*
> 23:21:24,371 | headers | http-outgoing-0 >> Host:
> ntlm.herokuapp.com
> 23:21:24,371 | headers | http-outgoing-0 >>
> Connection: Keep-Alive
> 23:21:24,371 | headers | http-outgoing-0 >>
> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
> 23:21:24,371 | headers | http-outgoing-0 >>
> Accept-Encoding: gzip,deflate
> 23:21:24,371 | wire | http-outgoing-0 >> "GET
> / HTTP/1.1[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "Accept: text/plain, */*[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "Host: ntlm.herokuapp.com[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "Connection: Keep-Alive[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "Accept-Encoding: gzip,deflate[\r][\n]"
> 23:21:24,371 | wire | http-outgoing-0 >>
> "[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "HTTP/1.1 401 Unauthorized [\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "Connection: keep-alive[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "Www-Authenticate: NTLM[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "Date: Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "Content-Length: 0[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 << "Via:
> 1.1 vegur[\r][\n]"
> 23:21:24,562 | wire | http-outgoing-0 <<
> "[\r][\n]"
> 23:21:24,562 | headers | http-outgoing-0 <<
> HTTP/1.1 401 Unauthorized
> 23:21:24,562 | headers | http-outgoing-0 <<
> Connection: keep-alive
> 23:21:24,563 | headers | http-outgoing-0 <<
> Www-Authenticate: NTLM
> 23:21:24,563 | headers | http-outgoing-0 <<
> Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
> 23:21:24,563 | headers | http-outgoing-0 << Date:
> Thu, 16 Nov 2017 22:20:58 GMT
> 23:21:24,563 | headers | http-outgoing-0 <<
> Content-Length: 0
> 23:21:24,563 | headers | http-outgoing-0 << Via:
> 1.1 vegur
> 23:21:24,563 | MainClientExec | Connection can be kept
> alive indefinitely
> 23:21:24,563 | HttpAuthenticator | Authentication required
> 23:21:24,563 | HttpAuthenticator | ntlm.herokuapp.com:443
> requested authentication
> 23:21:24,563 | HttpAuthenticator | Authorization challenge
> processed
> 23:21:24,563 | HttpAuthenticator | Authentication failed
> 23:21:24,563 | PoolingHttpClientConnectionManager | Connection [id:
> 0][route: {s}->https://ntlm.herokuapp.com:443] can be kept alive indefinitely
> 23:21:24,563 | PoolingHttpClientConnectionManager | Connection released:
> [id: 0][route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 1;
> route allocated: 1 of 24; total allocated: 1 of 128]
> 23:21:24,568 | RestTemplate | GET request for
> "https://ntlm.herokuapp.com"; resulted in 401 (Unauthorized); invoking error
> handler
> 23:21:24,571 | NtlmPrototype | Request failed
> org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
> at
> org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63)
> ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> at
> org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)
> ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> at
> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)
> ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> at
> org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
> ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> at
> org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312)
> ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
> at NtlmPrototype.issueGetRequest(NtlmPrototype.java:50) [classes/:?]
> at NtlmPrototype.main(NtlmPrototype.java:32) [classes/:?]
> {noformat}
> h3. Test application
> - use attached ZIP or download from
> https://frightanic.com/misc/msr-ntlm-prototype.zip (26.7KB)
> - unzip
> - $ mvn package
> - $ java -jar target/ntlm-prototype-1.0-SNAPSHOT.jar
> https://ntlm.herokuapp.com user pass domain
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
