On Tue, 2019-07-16 at 16:21 +0200, Kirill wrote:
> Dear HtpClient Users Group,
>
>
> Is it possible to make NTLM Authentication using only HttpClient
> library
> (without htppclient-win library) which will be working independently
> on
> whether it is running on Windows or Linux?
>
Of course, it is. It is the default mode of operation supported by
HttpClient and recommended by the project.
Cheers
Oleg
> Best regards,
> Kirill
>
>
>
> *Von:* Oleg Kalnichevski <ol...@apache.org>
>
> *Gesendet:* Mittwoch, 10. Juli 2019 15:49
> *An:* HttpClient User Discussion
> *Betreff:* Re: NTLM Authentication fails
>
>
>
> On Mon, 2019-07-08 at 09:27 +0000, Kirill Rajbhandary wrote:
> > Dear HttpClient Support List,
> >
> > I found out that when trying to make NTLM Authentication using
> > httpclient-win-4.5.6.jar library it relies on
> > CurrentWindowsCredentials instead of using credentials provided in
> > WindowsCredentialsProvider which it seems to be incorrect for the
> > case when web-container (Tomcat in my case) is running as a service
> > under another "Local System" user on Windows machine. It retrieves
> > incorrect username which is not authorized to pass NTLM
> > authentication and gets 401 Unauthorized Error. Besides, if web
> > container (Tomcat in my case) is running inside Docker Linux
> > Container it does not work at all because the user specified inside
> > Docker Container is completely different from the Windows one. I
> > suppose that in WindowsNegotiateScheme.authenticate() method the
> > below implementation should not rely on CurrentWindowsCredentials
> > and
> > throw Exception but have to use the Credentials specified in
> > WindowsCredentialsProvider.
> >
> > if (clientCred == null) {
> > // ?? We don't use the credentials, should we allow anything?
> > if (!(credentials instanceof CurrentWindowsCredentials)) {
> > throw new InvalidCredentialsException(
> > "Credentials cannot be used for " + getSchemeName() + "
> > authentication: "
> > + credentials.getClass().getName());
> > }
> >
> >
> > Also WindowsCredentialsProvider should not use instance of
> > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use
> > provider.getCredentials(authscope) one:
> >
> > public Credentials getCredentials(final AuthScope authscope) {
> > final String scheme = authscope.getScheme();
> > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) ||
> > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) {
> > return CurrentWindowsCredentials.INSTANCE;
> > } else {
> > return provider.getCredentials(authscope);
> > }
> > }
> >
> > Besides, if user provides the credentials of another user which is
> > different from the user logged in to Windows system, httpclient-win
> > API should not try to get information about currently logged user
> > via
> > CurrentWindowsCredentials class but has to use those credentials
> > provided in WindowsCredentialsProvider if there are provided. If
> > the
> > credentials are not provided, then probably makes sense to get user
> > using CurrentWindowsCredentials.
> >
> > Here is the code snippet how NTLM authentication was used in my
> > case
> > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries:
> >
> > HttpClientBuilder clientbuilder = HttpClients.custom();
> > Registry<AuthSchemeProvider> authSchemeRegistry =
> > RegistryBuilder.<AuthSchemeProvider>create()
> > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null))
> > .build();
> > CredentialsProvider windowsCredentialsProvider = new
> > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider());
> > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new
> > NTCredentials("username, "password", "workstation", "domain"));
> > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvi
> > de
> > r);
> > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
> >
> > RequestConfig.Builder requestBuilder = RequestConfig.custom();
> > requestBuilder =
> > requestBuilder.setConnectTimeout(connectionTimeout);
> > requestBuilder =
> > requestBuilder.setConnectionRequestTimeout(connectionTimeout);
> > clientbuilder.setDefaultRequestConfig(requestBuilder.build());
> > client = clientbuilder.build();
> >
> > HttpGet get = new HttpGet("http://test.url/ntlm";);
> > CloseableHttpResponse response = client.execute(get);
> >
> > Could you please advise a workaround for the issue and make the
> > corresponding fix if you consider my description as an issue?
> >
>
> Hi Kirill
>
> I am not sure I fully understand your logic here but also admittedly
> I
> have little idea how things work in Windows these days.
>
> The HttpClient for Windows is an experimental module and is NOT
> recommended for production use. On a number of occasions we have
> considered dropping Windows specific code altogether.
>
> However if you contribute a PR with your proposed improvements I will
> happily review them.
>
> Cheers
>
> Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
