Thanks for the answer. Actually I don't know how axis2 manages its stored-hashed. I can't say what happens to the "é" because I pass the password to HttpTransportProperties.Authenticator and I see it again in TCPMonitor as a NTLM hashed string, in which I can't say how "é" has been used.
What is the tool used to generate and store the passwords? What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string? I pass the password-string to HttpTransportProperties.Authenticator , I don't use any other tool. The password-string is a standard Java String object, which means (in my understanding of the javadoc<http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html> ) represented in UTF-16 and which libraries like axis2 should probably handle to take care of encoding issues. Authenticating in a browser with the "é" works correctly (while accessing the WSDL). Authenticating in Outlook also works correctly with this password. The 401 error only occurs with the axis2 client application... Any idea ? Cordialement, Pierre Muller Le 27/06/2011 17:36, Stadelmann Josef a écrit : Somewhere there is a password data base which has stored password-hashes or the like. Lets refer to it as stored-hashes. If the way hashes are generated from passwords, then transferred, then stored by some tool differs from the way hashes are generated, transferred and used toward the hasher by axis2 e all, in example by passing in one or the other direction a Iso-Latin-to-UTF-8 converter in the later case, then the chance is real great that we will never reach a match on the hashes. So what happens to the "é" in sequence? How is it sent from client to server, as UTF-8 or as ISO-LATIN-1? TCP Monitor on a non-hashed transfer can tell you that. What is the tool used to generate and store the passwords? What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string? As the password generator is potentially a Microsoft one, I would suggest the "hasher" receives a double-byte-encoded-UNICODE-strings for an "é" BUT The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string" for a single "é" and without converting this 2 bytes to UNICODE prior to passing it to the hasher the hasher will generate something different then what is stored in the password-database and the match fails and results in UNAUTHENTICATED. Josef Von: Muller Pierre [mailto:pierre.mul...@gfi.fr] Gesendet: Montag, 27. Juni 2011 15:03 An: java-user@axis.apache.org<mailto:java-user@axis.apache.org> Betreff: NTLM authentication failed (password with non-latin characters) Hello, I'm working on a web application consuming web services with Axis2. Client classes are generated from a WSDL file with the XMLBeans method. The web services require NTLM authentication, which I set up in my application. Everything's fine, the application works as expected (able to authenticate, able to use services). Except in one case : when the NTLM password contains accents, e.g. "myPasswordWithLetter_é". Does someone know about this, is this a filed bug for Axis2 (I couldn't find anythind on it so far) ? Are there any solutions to bypass it ? Thanks Pierre More detailed information : 1. The services requested are Exchange Web Service ones. Again, it's working fine for passwords without accents. 2. My authentication code is : URL endpoint = new URL(...); HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator(); authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM)); authenticator.setUsername("user"); authenticator.setPassword("myPasswordWithLetter_é"); authenticator.setHost(endpoint.getHost()); authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort() : endpoint.getProtocol().equalsIgnoreCase("https")? 443 : 80); authenticator.setDomain(conf.getAgendaHttpAuthDomain()); stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, authenticator); 3. The password is showing healthy in Java, no encoding problem. 4. TCPMonitor shows similar behaviours with or without accents in the password : 3 POST requests, only the last differing between the expected SOAP response or the "HTTP 401.1 Unauthorized" seen below : Application request Server response POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Host: vm-iodasxch:8989 Transfer-Encoding: chunked 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .. HTTP/1.1 401 Unauthorized Content-Length: 1897 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Transfer-Encoding: chunked Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE hPU1RJT0RBU1hDSA== Host: localhost:8989 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .. HTTP/1.1 401 Unauthorized Content-Length: 1776 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg BpAC4AcAByAGkAdgBhAHQAZQAAAAAA X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Transfer-Encoding: chunked Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU 1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I= Host: localhost:8989 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .. HTTP/1.1 401 Unauthorized Content-Length: 1776 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT -- Cordialement, Pierre Muller Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system.
