Pierre, Axis2 uses HttpClient 3.x for HTTP transport implementation. If you write a simple HttpClient 3.x based application that opens the protected URL with NTLM authentication with your non-ascii character as password, does it succeed or not? If it succeeds, it's something with axis2's encodings. If it fails, you can take axis2 out of the equation and try the HttpClient mailing lists...
George From: Muller Pierre [mailto:pierre.mul...@gfi.fr] Sent: Monday, July 11, 2011 3:03 AM To: java-user@axis.apache.org Subject: Re: AW: NTLM authentication failed (password with non-latin characters) Hi all, Any idea ?... Cordialement, Pierre Muller Le 29/06/2011 14:17, Muller Pierre a écrit : Thanks Martin. Actually I had a look at the HTTPClient trace : there was this warning "Credential charset not configured, using HTTP element charset". Thus I tried your conf directive and other directives too : stub._getServiceClient().getOptions().setProperty(HTTPConstants.CHAR_SET_ENCODING, new String("utf-16")); stub._getServiceClient().getOptions().setProperty("CHARACTER_SET_ENCODING", new String("utf-16")); DefaultHttpParams.getDefaultParams().setParameter("http.protocol.credential-charset", new String("utf-16")); Only the last one makes the warning disappear, which is good. But I tried several charsets (utf-16,utf-8,iso-8859-1,cp1252), with and without U+00E9 ("myPasswordWithLetter_é" or "myPasswordWithLetter_\u00e9") : no success, I always get the same 401.1 error !! Cordialement, Pierre Muller Le 28/06/2011 17:15, Martin Gainty a écrit : options.setProperty("CHARACTER_SET_ENCODING",new String("UTF-16"); when configuring the text part instead of typing displayable ASCII character é try U+00E9 http://en.wikipedia.org/wiki/ASCII#Unicode Martin Gainty ______________________________________________ Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma miatt. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. ________________________________ From: pierre.mul...@gfi.fr<mailto:pierre.mul...@gfi.fr> To: java-user@axis.apache.org<mailto:java-user@axis.apache.org> Date: Tue, 28 Jun 2011 06:21:40 -0700 Subject: Re: AW: NTLM authentication failed (password with non-latin characters) Thanks for the answer. Actually I don't know how axis2 manages its stored-hashed. I can't say what happens to the "é" because I pass the password to HttpTransportProperties.Authenticator and I see it again in TCPMonitor as a NTLM hashed string, in which I can't say how "é" has been used. What is the tool used to generate and store the passwords? What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string? I pass the password-string to HttpTransportProperties.Authenticator , I don't use any other tool. The password-string is a standard Java String object, which means (in my understanding of the javadoc<http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html> ) represented in UTF-16 and which libraries like axis2 should probably handle to take care of encoding issues. Authenticating in a browser with the "é" works correctly (while accessing the WSDL). Authenticating in Outlook also works correctly with this password. The 401 error only occurs with the axis2 client application... Any idea ? Cordialement, Pierre Muller Le 27/06/2011 17:36, Stadelmann Josef a écrit : Somewhere there is a password data base which has stored password-hashes or the like. Lets refer to it as stored-hashes. If the way hashes are generated from passwords, then transferred, then stored by some tool differs from the way hashes are generated, transferred and used toward the hasher by axis2 e all, in example by passing in one or the other direction a Iso-Latin-to-UTF-8 converter in the later case, then the chance is real great that we will never reach a match on the hashes. So what happens to the "é" in sequence? How is it sent from client to server, as UTF-8 or as ISO-LATIN-1? TCP Monitor on a non-hashed transfer can tell you that. What is the tool used to generate and store the passwords? What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string? As the password generator is potentially a Microsoft one, I would suggest the "hasher" receives a double-byte-encoded-UNICODE-strings for an "é" BUT The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string" for a single "é" and without converting this 2 bytes to UNICODE prior to passing it to the hasher the hasher will generate something different then what is stored in the password-database and the match fails and results in UNAUTHENTICATED. Josef Von: Muller Pierre [mailto:pierre.mul...@gfi.fr] Gesendet: Montag, 27. Juni 2011 15:03 An: java-user@axis.apache.org<mailto:java-user@axis.apache.org> Betreff: NTLM authentication failed (password with non-latin characters) Hello, I'm working on a web application consuming web services with Axis2. Client classes are generated from a WSDL file with the XMLBeans method. The web services require NTLM authentication, which I set up in my application. Everything's fine, the application works as expected (able to authenticate, able to use services). Except in one case : when the NTLM password contains accents, e.g. "myPasswordWithLetter_é". Does someone know about this, is this a filed bug for Axis2 (I couldn't find anythind on it so far) ? Are there any solutions to bypass it ? Thanks Pierre More detailed information : 1. The services requested are Exchange Web Service ones. Again, it's working fine for passwords without accents. 2. My authentication code is : URL endpoint = new URL(...); HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator(); authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM)); authenticator.setUsername("user"); authenticator.setPassword("myPasswordWithLetter_é"); authenticator.setHost(endpoint.getHost()); authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort() : endpoint.getProtocol().equalsIgnoreCase("https")? 443 : 80); authenticator.setDomain(conf.getAgendaHttpAuthDomain()); stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, authenticator); 3. The password is showing healthy in Java, no encoding problem. 4. TCPMonitor shows similar behaviours with or without accents in the password : 3 POST requests, only the last differing between the expected SOAP response or the "HTTP 401.1 Unauthorized" seen below : Application request Server response POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Host: vm-iodasxch:8989 Transfer-Encoding: chunked 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope . HTTP/1.1 401 Unauthorized Content-Length: 1897 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Transfer-Encoding: chunked Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE hPU1RJT0RBU1hDSA== Host: localhost:8989 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .. HTTP/1.1 401 Unauthorized Content-Length: 1776 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg BpAC4AcAByAGkAdgBhAHQAZQAAAAAA X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT POST /EWS/Exchange.asmx HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem";<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem> User-Agent: Axis2 Transfer-Encoding: chunked Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU 1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I= Host: localhost:8989 322 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope . HTTP/1.1 401 Unauthorized Content-Length: 1776 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Mon, 27 Jun 2011 10:05:06 GMT -- Cordialement, Pierre Muller Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments ("the email") are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and GFI Informatique Group declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system.
