On Tue, 2012-03-20 at 15:26 +0000, Thomas Vestergaard wrote: > Hi, > > Just to follow up, I got NTLM proxy to work - atleast partly by using JCIFS > as described on: http://hc.apache.org/httpcomponents-client-ga/ntlm.html >
Unfortunately the default NTLM implementation shipped with HttpClient is not particularly great. As long as you do not mind using LGPL licensed software JCIFS is the way to go. Oleg > However, I still have a number of use-cases, where my implementation fails. > From what I can gather from the logs, it has to do with missing proxy auth of > redirects. (See below.) > > I there something I need to set or override to enable authentication on each > connection rather than request? > Or is it possible to prevent the client from closing the connection between > the two GET's? (Regardless of this problem, it seems wasteful. But I might be > mistaken.) > > Best regards, > Thomas > > [snip - initial GET resulting in 307 Temporary Redirect] > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: > HTTP/1.1 307 Temporary Redirect > DEBUG [org.apache.http.headers] << HTTP/1.1 307 Temporary Redirect > DEBUG [org.apache.http.headers] << Accept-Ranges: bytes > DEBUG [org.apache.http.headers] << Age: 0 > DEBUG [org.apache.http.headers] << Content-Type: application/xml > DEBUG [org.apache.http.headers] << Date: Tue, 20 Mar 2012 14:51:56 GMT > DEBUG [org.apache.http.headers] << Location: > https://partner.com/users/42/info?apiuserid=TNDK > DEBUG [org.apache.http.headers] << Server: Jetty(8.0.0.M2) > DEBUG [org.apache.http.headers] << Via: 1.1 varnish > DEBUG [org.apache.http.headers] << X-Varnish: 1790574415 > DEBUG [org.apache.http.headers] << Content-Length: 0 > DEBUG [org.apache.http.headers] << Connection: keep-alive > DEBUG [org.apache.http.client.protocol.ResponseAuthCache] Caching 'basic' > auth scheme for https://partner.com > DEBUG [org.apache.http.impl.client.DefaultRedirectStrategy] Redirect > requested to location 'https://partner.com/id/users/42/info?apiuserid=TNDK' > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Redirecting to > 'https://partner.com/id/users/42/info?apiuserid=TNDK' via > HttpRoute[{tls}->http://tmgproxy.telenor.dk:8080->https://partner.com] > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection closed > DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting > to tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.client.protocol.RequestAuthCache] Re-using cached > 'ntlm' auth scheme for http://tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: > CONNECT partner.com:443 HTTP/1.1 > DEBUG [org.apache.http.headers] >> CONNECT partner.com:443 HTTP/1.1 > DEBUG [org.apache.http.headers] >> Host: partner.com > DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java > 1.5) > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: > HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires > authorization to fulfill the request. Access to the Web Proxy filter is > denied. ) > DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required > ( Forefront TMG requires authorization to fulfill the request. Access to the > Web Proxy filter is denied. ) > DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02 > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos > DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM > DEBUG [org.apache.http.headers] << Connection: close > DEBUG [org.apache.http.headers] << Proxy-Connection: close > DEBUG [org.apache.http.headers] << Pragma: no-cache > DEBUG [org.apache.http.headers] << Cache-Control: no-cache > DEBUG [org.apache.http.headers] << Content-Type: text/html > DEBUG [org.apache.http.headers] << Content-Length: 2687 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested > authentication > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge > processed > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: > NTLM <any realm>@tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication failed > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection closed > DEBUG [org.apache.http.impl.client.DefaultHttpClient] CONNECT refused by > proxy: HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires > authorization to fulfill the request. Access to the Web Proxy filter is > denied. ) > DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Releasing > connection > org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@1f78040 > > > > -----Oprindelig meddelelse----- > Fra: Thomas Vestergaard [mailto:[email protected]] > Sendt: 20. marts 2012 13:35 > Til: [email protected] > Emne: NTLM proxy authentication > > Hello, > > I am having a problem with getting HttpClient to send requests through a > proxy demanding NTLM authentication, which I understand should be possible. > > My code for trying to accomplish this: > Credentials credentials; > try { > credentials = new NTCredentials(proxyUsername, proxyPassword, > InetAddress.getLocalHost().getHostName(), proxyDomain); > } catch (Exception e) { > throw new SessionException("Unable to create NTLM credentials for > proxy authentication", e); > } > client.getCredentialsProvider().setCredentials(new AuthScope(proxyHostname, > proxyPort), credentials); > > HttpHost proxyHost = new HttpHost(proxyHostname, proxyPort); > client.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxyHost); > > AuthScheme proxyAuthScheme = new > NTLMSchemeFactory().newInstance(client.getParams()); > authCache.put(proxyHost, proxyAuthScheme); > > But I am apparently missing something, since it does not work. > > The authCache is later added to the context used in the execute call. Without > this, I get an error about missing an ini-file - looks like an attempt to use > Kerberos. > The full log of the interaction is pasted below. As can also be seen in the > log, I am using HttpClient v. 4.1.3. > > Best regards, > Telenor > > Thomas Vestergaard > Ekstern konsulent > Technology > Frederikskaj, DK-1780. København V > Tel: +45 52 18 92 18 // e-mail: [email protected]<mailto:[email protected]> > Web: http://www.telenor.dk<http://www.telenor.dk/> > > DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Get connection for > route HttpRoute[{}->http://tmgproxy.telenor.dk:8080->http://hc.apache.org:80] > DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting > to tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec > selected: best-match > DEBUG [org.apache.http.client.protocol.RequestAuthCache] Re-using cached > 'ntlm' auth scheme for http://tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 1 to execute > request > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: > GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80 > DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java > 1.5) > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: > HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires > authorization to fulfill the request. Access to the Web Proxy filter is > denied. ) > DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required > ( Forefront TMG requires authorization to fulfill the request. Access to the > Web Proxy filter is denied. ) > DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02 > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos > DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM > DEBUG [org.apache.http.headers] << Connection: Keep-Alive > DEBUG [org.apache.http.headers] << Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] << Pragma: no-cache > DEBUG [org.apache.http.headers] << Cache-Control: no-cache > DEBUG [org.apache.http.headers] << Content-Type: text/html > DEBUG [org.apache.http.headers] << Content-Length: 3670 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Connection can be kept > alive indefinitely > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested > authentication > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge > processed > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: > NTLM <any realm>@tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec > selected: best-match > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 2 to execute > request > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: > GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80 > DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java > 1.5) > DEBUG [org.apache.http.headers] >> Proxy-Authorization: NTLM > TlRMTVNTUAABAAAANQIIIAwADAA8AAAAHAAcACAAAABYAFAARgBFAFAAQwBDAEcARQBUAEgAVgBFAFQAUwBPAE4ARgBPAE4A > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: > HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) > DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required > ( Access is denied. ) > DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02 > DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM > TlRMTVNTUAACAAAAFgAWADgAAAA1Aoki1+rF8hsocI8AAAAAAAAAALQAtABOAAAABgGxHQAAAA9TAE8ATgBPAEYATwBOAC4ARABPAE0AAgAWAFMATwBOAE8ARgBPAE4ALgBEAE8ATQABABIASQBWAEEAQgBUAE0ARwAwADIABAAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawADADAASQBWAEEAQgBUAE0ARwAwADIALgBpAG4AdAAuAHMAbwBuAG8AZgBvAG4ALgBkAGsABQAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawAHAAgAFOT4DpUGzQEAAAAA > DEBUG [org.apache.http.headers] << Connection: Keep-Alive > DEBUG [org.apache.http.headers] << Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] << Pragma: no-cache > DEBUG [org.apache.http.headers] << Cache-Control: no-cache > DEBUG [org.apache.http.headers] << Content-Type: text/html > DEBUG [org.apache.http.headers] << Content-Length: 0 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Connection can be kept > alive indefinitely > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested > authentication > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge > processed > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: > NTLM <any realm>@tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec > selected: best-match > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 3 to execute > request > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: > GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> GET > http://hc.apache.org:80/httpcomponents-client-ga/tutorial/html/authentication.html > HTTP/1.1 > DEBUG [org.apache.http.headers] >> Host: hc.apache.org:80 > DEBUG [org.apache.http.headers] >> Proxy-Connection: Keep-Alive > DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.1.3 (java > 1.5) > DEBUG [org.apache.http.headers] >> Proxy-Authorization: NTLM > TlRMTVNTUAADAAAAGAAYAEAAAADgAOAAWAAAAAwADAA4AQAADgAOAEQBAAAcABwAUgEAAAAAAABuAQAANQIIILz16v88ObGIAyJRwplRA1RHf5V7zloNVnfwJnYZbsCj/uvqTyxBJbgBAQAAAAAAADDtlQ+VBs0BR3+Ve85aDVYAAAAAAgAWAFMATwBOAE8ARgBPAE4ALgBEAE8ATQABABIASQBWAEEAQgBUAE0ARwAwADIABAAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawADADAASQBWAEEAQgBUAE0ARwAwADIALgBpAG4AdAAuAHMAbwBuAG8AZgBvAG4ALgBkAGsABQAcAGkAbgB0AC4AcwBvAG4AbwBmAG8AbgAuAGQAawAHAAgAFOT4DpUGzQEAAAAAUwBPAE4ARgBPAE4AYwBnAGUAdABoAHYAZQBYAFAARgBFAFAAQwBDAEcARQBUAEgAVgBFAFQA > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: > HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires > authorization to fulfill the request. Access to the Web Proxy filter is > denied. ) > DEBUG [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required > ( Forefront TMG requires authorization to fulfill the request. Access to the > Web Proxy filter is denied. ) > DEBUG [org.apache.http.headers] << Via: 1.1 IVABTMG02 > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Negotiate > DEBUG [org.apache.http.headers] << Proxy-Authenticate: Kerberos > DEBUG [org.apache.http.headers] << Proxy-Authenticate: NTLM > DEBUG [org.apache.http.headers] << Connection: close > DEBUG [org.apache.http.headers] << Proxy-Connection: close > DEBUG [org.apache.http.headers] << Pragma: no-cache > DEBUG [org.apache.http.headers] << Cache-Control: no-cache > DEBUG [org.apache.http.headers] << Content-Type: text/html > DEBUG [org.apache.http.headers] << Content-Length: 3670 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Proxy requested > authentication > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authorization challenge > processed > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication scope: > NTLM <any realm>@tmgproxy.telenor.dk:8080 > DEBUG [org.apache.http.impl.client.DefaultHttpClient] Authentication failed > DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Releasing > connection > org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@a9ae05 > DEBUG [org.apache.http.impl.conn.SingleClientConnManager] Released connection > open but not reusable. > DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Connection shut down > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
