I looked more into this and I found AXIS2-4318 from 2012 which states the reason for dropping the support of those features below.
Keep in mind that Axis2 1.6.x was the era of commons-httpclient 3.x. While 4.x is currently in our trunk, these next several days I will be upgrading to 5.x so anything we do here needs to work with the latest Apache httpclient release. https://issues.apache.org/jira/browse/AXIS2-4318 3) drop authenticator preemptive authentication support Preemptive authentication is considered unsecure and is strongly discouraged. Moreover the code found in examples: http://hc.apache.org/httpcomponents-client/examples.html is no longer officially supported. Which means that we should drop preemptive authentication support from the trunk; alternatively we can allow a number of pluggable mechanisms to allow users to enable preemptive auth. The user would have to provide HttpRequestInterceptor and HttpResponseInterceptor implementations as well as a means to properties to configure a BasicHttpContext for use with the HttpClient. As a workaround/alternative the user could fully initialize it's own AbstractHttpClient instance and pass it through the existing CACHED_HTTP_CLIENT option. On Wed, Feb 7, 2024 at 5:48 AM Luis Silva <luis.gc.si...@redshift.pt.invalid> wrote: > Hi Robert, > > > > All help is welcome. If necessary, I’m available to help with testing. > > > > Best Regard’s, > > Luis Silva > > > > > > *From:* robertlazarski <robertlazar...@gmail.com> > *Sent:* Wednesday, 7 February 2024 15:29 > *To:* java-user@axis.apache.org > *Subject:* Re: [Axis2] - Problem with authentication Negotiate > > > > It might take me a few days to look at this but I can probably help. > > > > > > I'm about to make commits that upgrade Axis2 from httpclient 4.x to 5.x > for the next release and this feature will need to be fixed for that too. > > > > On Wed, Feb 7, 2024 at 4:32 AM Luis Silva < > luis.gc.si...@redshift.pt.invalid> wrote: > > Hi, > > > > I’m having a problem upgrading one application that uses axis2 version > 1.6.0 to the 1.8.2 version. > > The situation is that I’m trying to connect to one IIS webservice from a > linux server, and the IIS use in the authentication Negotiate. In version > 1.6.0 its working using a custom class to handle the request. > > I try to upgrade the client part to use axis2 1.8.2 but there are changes > on axis in HttpTransportProperties class that now doesn’t have > Authenticator. I’m trying to use the HttpTransportPropertiesImpl class but > it’s not working. > > Using HttpTransportPropertiesImpl I can’t use the custom class that > handles the Negotiate authentication. I’m going to expose the situation > using the code. > > > > This is the code using axis2 1.6.0, and using wsdl2java to create the stub > > > > *ProfilesStub stub = new ProfilesStub(wsURL); // Stub created by > wsdl2java* > > *System.setProperty("java.security.auth.login.config", > kbr5LoginConfigFile); * > > *System.setProperty("java.security.krb5.conf", kbr5ConfigFile);* > > *System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");* > > > > *System.setProperty("sun.security.krb5.debug", "true");* > > *System.setProperty("sun.security.jgss.debug", "true");* > > *System.setProperty("java.security.debug", > "logincontext,policy,scl,gssloginconfig");* > > > > *AuthPolicy.unregisterAuthScheme("BASIC");* > > *AuthPolicy.unregisterAuthScheme("DIGEST");* > > *AuthPolicy.unregisterAuthScheme("NTLM");* > > > > *ArrayList authSchemes = new ArrayList();* > > *if ( AuthSchemeId.equals("Negotiate") ) // **ß** I’m using > AuthSchemeId=Negotiate* > > *{* > > * AuthPolicy.registerAuthScheme("Negotiate", > NegotiateSchemeCustom.class); //**ß** the custom class that handles the > Negotiate authentication* > > * authSchemes.add("Negotiate");* > > *}* > > *else* > > *{* > > * if ( AuthSchemeId.equals("Kerberos") )* > > * {* > > * AuthPolicy.registerAuthScheme("Kerberos", > KerberosSchemeCustom.class);* > > * authSchemes.add("Kerberos"); }* > > * else* > > * throw new Exception("Invalid authentication scheme '" + > (AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'");* > > * }* > > > > * HttpTransportProperties.Authenticator auth = new > HttpTransportProperties.Authenticator();* > > * auth.setDomain(userDomain);* > > * auth.setHost((new URL(wsURL)).getHost());* > > * java.util.Properties properties = new java.util.Properties();* > > * // absolute from the classpath* > > * String configFileName = "wsURL.config";* > > * try* > > * {* > > * properties.load(new java.io.FileInputStream(configFileName));* > > * }* > > * catch ( Exception exception )* > > * {* > > * System.out.println("ERROR oppening file " + configFileName + > "--");* > > * System.out.println("EX:" + exception.getMessage() +"--");* > > * }* > > * String username = properties.getProperty("username");* > > * String password = properties.getProperty("password");* > > > > * auth.setUsername(username);* > > * auth.setPassword(password);* > > > > * auth.setAuthSchemes(authSchemes);* > > > > * HttpParams params = DefaultHttpParams.getDefaultParams();* > > * params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, > authSchemes);* > > > > * Options options = stub._getServiceClient().getOptions();* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, > auth);* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, > Boolean.FALSE);* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT, > "true");* > > > > * stub._getServiceClient().setOptions(options);* > > > > * GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // > GetUserInfo class created by wsdl2java* > > * userInfo.setSUserName(userName);* > > * userInfo.setSDomain(domain);* > > * userInfo.setSApplication(application);* > > > > * GetUserInfoDocument getUserInfoDocument = > GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class > created by wsdl2java* > > > > * getUserInfoDocument.setGetUserInfo(userInfo); * > > > > * GetUserInfoResponseDocument response = > stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, > GetUserInfoResponseDocument class created by wsdl2java* > > * String userData = > response.getGetUserInfoResponse().getGetUserInfoResult().toString();* > > > > And using trace on the NegotiateSchemeCustom.class I confirm that this > class is used > > In the class > > *public NegotiateSchemeCustom () {* > > * super();* > > * state = UNINITIATED;* > > * System.out.println("Created NegotiateSchemeCustom()");* > > * }* > > > > The output > > Jan 31, 2024 5:09:09 PM > org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme > > INFO: negotiate authentication scheme selected > > Created NegotiateSchemeCustom() > > > > And the invocation is successful. > > > > But when I try using 1.8.2 version > > > > *ProfilesStub stub = new ProfilesStub(wsURL); // Stub created by > wsdl2java version 1.8.2* > > *System.setProperty("java.security.auth.login.config", > kbr5LoginConfigFile); * > > *System.setProperty("java.security.krb5.conf", kbr5ConfigFile);* > > *System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");* > > > > *System.setProperty("sun.security.krb5.debug", "true");* > > *System.setProperty("sun.security.jgss.debug", "true");* > > *System.setProperty("java.security.debug", > "logincontext,policy,scl,gssloginconfig");* > > > > *AuthPolicy.unregisterAuthScheme("BASIC");* > > *AuthPolicy.unregisterAuthScheme("DIGEST");* > > *AuthPolicy.unregisterAuthScheme("NTLM");* > > > > *ArrayList authSchemes = new ArrayList();* > > *if ( AuthSchemeId.equals("Negotiate") ) // **ß** I’m using > AuthSchemeId=Negotiate* > > *{* > > * AuthPolicy.registerAuthScheme("Negotiate", > NegotiateSchemeCustom.class); //**ß** the custom class that handles the > Negotiate authentication, same as the 1.6.0* > > * authSchemes.add("Negotiate");* > > *}* > > *else* > > *{* > > * if ( AuthSchemeId.equals("Kerberos") )* > > * {* > > * AuthPolicy.registerAuthScheme("Kerberos", > KerberosSchemeCustom.class);* > > * authSchemes.add("Kerberos"); }* > > * else* > > * throw new Exception("Invalid authentication scheme '" + > (AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'");* > > * }* > > > > * HttpTransportPropertiesImpl.Authenticator auth = new > HttpTransportPropertiesImpl.Authenticator(); // **ß** Using > HttpTransportPropertiesImpl that has Authenticator* > > * auth.setDomain(userDomain);* > > * auth.setHost((new URL(wsURL)).getHost());* > > * java.util.Properties properties = new java.util.Properties();* > > * // absolute from the classpath* > > * String configFileName = "wsURL.config";* > > * try* > > * {* > > * properties.load(new java.io.FileInputStream(configFileName));* > > * }* > > * catch ( Exception exception )* > > * {* > > * System.out.println("ERROR oppening file " + configFileName + > "--");* > > * System.out.println("EX:" + exception.getMessage() +"--");* > > * }* > > * String username = properties.getProperty("username");* > > * String password = properties.getProperty("password");* > > > > * auth.setUsername(username);* > > * auth.setPassword(password);* > > > > * auth.setAuthSchemes(authSchemes);* > > > > * HttpParams params = DefaultHttpParams.getDefaultParams();* > > * params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, > authSchemes);* > > > > * Options options = stub._getServiceClient().getOptions();* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, > auth);* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, > Boolean.FALSE);* > > * > options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT, > "true");* > > > > * stub._getServiceClient().setOptions(options);* > > > > * GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // > GetUserInfo class created by wsdl2java* > > * userInfo.setSUserName(userName);* > > * userInfo.setSDomain(domain);* > > * userInfo.setSApplication(application);* > > > > * GetUserInfoDocument getUserInfoDocument = > GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class > created by wsdl2java* > > > > * getUserInfoDocument.setGetUserInfo(userInfo); * > > > > * GetUserInfoResponseDocument response = > stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, > GetUserInfoResponseDocument class created by wsdl2java* > > * String userData = > response.getGetUserInfoResponse().getGetUserInfoResult().toString();* > > > > My problems started, first is with HttpTransportPropertiesImpl, it does > not recognizes Negotiate schema. > > I checked the code and when the method getAuthPolicyPref of the > Authenticator class of the HttpTransportPropertiesImpl is called with > Negotiate its returns null. > > Where is part of the code of > axis2-1.8.2\modules\transport\http\src\org\apache\axis2\transport\http\impl\httpclient4\HttpTransportPropertiesImpl.java > > *@Override* > > * public Object getAuthPolicyPref(String scheme) {* > > * if (BASIC.equals(scheme)) {* > > * return AuthPolicy.BASIC;* > > * } else if (NTLM.equals(scheme)) {* > > * return AuthPolicy.NTLM;* > > * } else if (DIGEST.equals(scheme)) {* > > * return AuthPolicy.DIGEST;* > > * }* > > * return null;* > > * }* > > There is no Negotiate so it returns null and in the > AuthenticationStrategyImpl select method it causes one exception bellow, > because id is null > > *for (final String id: authPrefs) {* > > * final Header challenge = > challenges.get(id.toLowerCase(Locale.ROOT));* > > > > My solution to this was to create a custom > HttpTransportPropertiesImplCustom that includes Negotiate and Kerberos > > This is my custom class. > > *public class HttpTransportPropertiesImplCustom extends > HttpTransportProperties {* > > > > * protected HttpVersion httpVersion;* > > > > * @Override* > > * public void setHttpVersion(Object httpVerion) {* > > * this.httpVersion = (HttpVersion) httpVerion;* > > * }* > > > > * @Override* > > * public Object getHttpVersion() {* > > * return this.httpVersion;* > > * }* > > > > * public static class Authenticator extends HTTPAuthenticator {* > > > > * private int port = -1;* > > * private String realm = null;* > > > > * public static final String NTLM = "NTLM";* > > * public static final String DIGEST = "Digest";* > > * public static final String BASIC = "Basic";* > > * public static final String SPNEGO = "Negotiate";* > > * public static final String KERBEROS = "Kerberos";* > > > > * public int getPort() {* > > * return port;* > > * }* > > > > * public void setPort(int port) {* > > * this.port = port;* > > * }* > > > > * public String getRealm() {* > > * return realm;* > > * }* > > > > * public void setRealm(String realm) {* > > * this.realm = realm;* > > * }* > > > > * @Override* > > * public Object getAuthPolicyPref(String scheme) {* > > * if (BASIC.equals(scheme)) {* > > * return "Basic";* > > * } else if (NTLM.equals(scheme)) {* > > * return "NTLM";* > > * } else if (DIGEST.equals(scheme)) {* > > * return "Digest";* > > * }* > > * else if (SPNEGO.equals(scheme)) {* > > * return "Negotiate";* > > * }* > > * else if (KERBEROS.equals(scheme)) {* > > * return "Kerberos";* > > * }* > > * return null;* > > * }* > > * }* > > > > *}* > > > > With this now I have a valid schema for Negotiate but still can’t invoke > my custom class. Debugging I see that the class used when the schema is > Negotiate is SPNegoScheme of the package org.apache.http.impl.auth. It > ignores my NegotiateSchemeCustom.class > > I also tried to create a custom SPNegoScheme with the code of > NegotiateSchemeCustom.class but have other problems. > > But instead of trying to use this solution why my custom class > NegotiateSchemeCustom.class isn’t used as the schema for Negotiate? > > I’m I missing some new configuration? > > > > Any help/suggestion is appreciated . > > > > Best Regards, > > Luis Silva > > > >
