Hi Robert, Thanks for your response, I’m going to take a look on the option using cached_http_client, but I will wait for the upcoming 5.x release to implement my upgrade.
Thanks again, Luis Silva From: robertlazarski <robertlazar...@gmail.com> Sent: Saturday, 17 February 2024 01:00 To: java-user@axis.apache.org Subject: Re: [Axis2] - Problem with authentication Negotiate To further clarify, see the example using CACHED_HTTP_CLIENT below; however that example is going to change slightly soon for httpclient 5.x. https://axis.apache.org/axis2/java/core/docs/http-transport.html On Fri, Feb 16, 2024 at 2:57 PM robertlazarski <robertlazar...@gmail.com<mailto:robertlazar...@gmail.com>> wrote: I looked more into this and I found AXIS2-4318 from 2012 which states the reason for dropping the support of those features below. Keep in mind that Axis2 1.6.x was the era of commons-httpclient 3.x. While 4.x is currently in our trunk, these next several days I will be upgrading to 5.x so anything we do here needs to work with the latest Apache httpclient release. https://issues.apache.org/jira/browse/AXIS2-4318 3) drop authenticator preemptive authentication support Preemptive authentication is considered unsecure and is strongly discouraged. Moreover the code found in examples: http://hc.apache.org/httpcomponents-client/examples.html is no longer officially supported. Which means that we should drop preemptive authentication support from the trunk; alternatively we can allow a number of pluggable mechanisms to allow users to enable preemptive auth. The user would have to provide HttpRequestInterceptor and HttpResponseInterceptor implementations as well as a means to properties to configure a BasicHttpContext for use with the HttpClient. As a workaround/alternative the user could fully initialize it's own AbstractHttpClient instance and pass it through the existing CACHED_HTTP_CLIENT option. On Wed, Feb 7, 2024 at 5:48 AM Luis Silva <luis.gc.si...@redshift.pt.invalid<mailto:luis.gc.si...@redshift.pt.invalid>> wrote: Hi Robert, All help is welcome. If necessary, I’m available to help with testing. Best Regard’s, Luis Silva From: robertlazarski <robertlazar...@gmail.com<mailto:robertlazar...@gmail.com>> Sent: Wednesday, 7 February 2024 15:29 To: java-user@axis.apache.org<mailto:java-user@axis.apache.org> Subject: Re: [Axis2] - Problem with authentication Negotiate It might take me a few days to look at this but I can probably help. I'm about to make commits that upgrade Axis2 from httpclient 4.x to 5.x for the next release and this feature will need to be fixed for that too. On Wed, Feb 7, 2024 at 4:32 AM Luis Silva <luis.gc.si...@redshift.pt.invalid<mailto:luis.gc.si...@redshift.pt.invalid>> wrote: Hi, I’m having a problem upgrading one application that uses axis2 version 1.6.0 to the 1.8.2 version. The situation is that I’m trying to connect to one IIS webservice from a linux server, and the IIS use in the authentication Negotiate. In version 1.6.0 its working using a custom class to handle the request. I try to upgrade the client part to use axis2 1.8.2 but there are changes on axis in HttpTransportProperties class that now doesn’t have Authenticator. I’m trying to use the HttpTransportPropertiesImpl class but it’s not working. Using HttpTransportPropertiesImpl I can’t use the custom class that handles the Negotiate authentication. I’m going to expose the situation using the code. This is the code using axis2 1.6.0, and using wsdl2java to create the stub ProfilesStub stub = new ProfilesStub(wsURL); // Stub created by wsdl2java System.setProperty("java.security.auth.login.config", kbr5LoginConfigFile); System.setProperty("java.security.krb5.conf", kbr5ConfigFile); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("sun.security.jgss.debug", "true"); System.setProperty("java.security.debug", "logincontext,policy,scl,gssloginconfig"); AuthPolicy.unregisterAuthScheme("BASIC"); AuthPolicy.unregisterAuthScheme("DIGEST"); AuthPolicy.unregisterAuthScheme("NTLM"); ArrayList authSchemes = new ArrayList(); if ( AuthSchemeId.equals("Negotiate") ) // <-- I’m using AuthSchemeId=Negotiate { AuthPolicy.registerAuthScheme("Negotiate", NegotiateSchemeCustom.class); //<-- the custom class that handles the Negotiate authentication authSchemes.add("Negotiate"); } else { if ( AuthSchemeId.equals("Kerberos") ) { AuthPolicy.registerAuthScheme("Kerberos", KerberosSchemeCustom.class); authSchemes.add("Kerberos"); } else throw new Exception("Invalid authentication scheme '" + (AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'"); } HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator(); auth.setDomain(userDomain); auth.setHost((new URL(wsURL)).getHost()); java.util.Properties properties = new java.util.Properties(); // absolute from the classpath String configFileName = "wsURL.config"; try { properties.load(new java.io.FileInputStream(configFileName)); } catch ( Exception exception ) { System.out.println("ERROR oppening file " + configFileName + "--"); System.out.println("EX:" + exception.getMessage() +"--"); } String username = properties.getProperty("username"); String password = properties.getProperty("password"); auth.setUsername(username); auth.setPassword(password); auth.setAuthSchemes(authSchemes); HttpParams params = DefaultHttpParams.getDefaultParams(); params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authSchemes); Options options = stub._getServiceClient().getOptions(); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, auth); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, Boolean.FALSE); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT, "true"); stub._getServiceClient().setOptions(options); GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // GetUserInfo class created by wsdl2java userInfo.setSUserName(userName); userInfo.setSDomain(domain); userInfo.setSApplication(application); GetUserInfoDocument getUserInfoDocument = GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class created by wsdl2java getUserInfoDocument.setGetUserInfo(userInfo); GetUserInfoResponseDocument response = stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, GetUserInfoResponseDocument class created by wsdl2java String userData = response.getGetUserInfoResponse().getGetUserInfoResult().toString(); And using trace on the NegotiateSchemeCustom.class I confirm that this class is used In the class public NegotiateSchemeCustom () { super(); state = UNINITIATED; System.out.println("Created NegotiateSchemeCustom()"); } The output Jan 31, 2024 5:09:09 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: negotiate authentication scheme selected Created NegotiateSchemeCustom() And the invocation is successful. But when I try using 1.8.2 version ProfilesStub stub = new ProfilesStub(wsURL); // Stub created by wsdl2java version 1.8.2 System.setProperty("java.security.auth.login.config", kbr5LoginConfigFile); System.setProperty("java.security.krb5.conf", kbr5ConfigFile); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("sun.security.jgss.debug", "true"); System.setProperty("java.security.debug", "logincontext,policy,scl,gssloginconfig"); AuthPolicy.unregisterAuthScheme("BASIC"); AuthPolicy.unregisterAuthScheme("DIGEST"); AuthPolicy.unregisterAuthScheme("NTLM"); ArrayList authSchemes = new ArrayList(); if ( AuthSchemeId.equals("Negotiate") ) // <-- I’m using AuthSchemeId=Negotiate { AuthPolicy.registerAuthScheme("Negotiate", NegotiateSchemeCustom.class); //<-- the custom class that handles the Negotiate authentication, same as the 1.6.0 authSchemes.add("Negotiate"); } else { if ( AuthSchemeId.equals("Kerberos") ) { AuthPolicy.registerAuthScheme("Kerberos", KerberosSchemeCustom.class); authSchemes.add("Kerberos"); } else throw new Exception("Invalid authentication scheme '" + (AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'"); } HttpTransportPropertiesImpl.Authenticator auth = new HttpTransportPropertiesImpl.Authenticator(); // <-- Using HttpTransportPropertiesImpl that has Authenticator auth.setDomain(userDomain); auth.setHost((new URL(wsURL)).getHost()); java.util.Properties properties = new java.util.Properties(); // absolute from the classpath String configFileName = "wsURL.config"; try { properties.load(new java.io.FileInputStream(configFileName)); } catch ( Exception exception ) { System.out.println("ERROR oppening file " + configFileName + "--"); System.out.println("EX:" + exception.getMessage() +"--"); } String username = properties.getProperty("username"); String password = properties.getProperty("password"); auth.setUsername(username); auth.setPassword(password); auth.setAuthSchemes(authSchemes); HttpParams params = DefaultHttpParams.getDefaultParams(); params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authSchemes); Options options = stub._getServiceClient().getOptions(); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, auth); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, Boolean.FALSE); options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT, "true"); stub._getServiceClient().setOptions(options); GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // GetUserInfo class created by wsdl2java userInfo.setSUserName(userName); userInfo.setSDomain(domain); userInfo.setSApplication(application); GetUserInfoDocument getUserInfoDocument = GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class created by wsdl2java getUserInfoDocument.setGetUserInfo(userInfo); GetUserInfoResponseDocument response = stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, GetUserInfoResponseDocument class created by wsdl2java String userData = response.getGetUserInfoResponse().getGetUserInfoResult().toString(); My problems started, first is with HttpTransportPropertiesImpl, it does not recognizes Negotiate schema. I checked the code and when the method getAuthPolicyPref of the Authenticator class of the HttpTransportPropertiesImpl is called with Negotiate its returns null. Where is part of the code of axis2-1.8.2\modules\transport\http\src\org\apache\axis2\transport\http\impl\httpclient4\HttpTransportPropertiesImpl.java @Override public Object getAuthPolicyPref(String scheme) { if (BASIC.equals(scheme)) { return AuthPolicy.BASIC; } else if (NTLM.equals(scheme)) { return AuthPolicy.NTLM; } else if (DIGEST.equals(scheme)) { return AuthPolicy.DIGEST; } return null; } There is no Negotiate so it returns null and in the AuthenticationStrategyImpl select method it causes one exception bellow, because id is null for (final String id: authPrefs) { final Header challenge = challenges.get(id.toLowerCase(Locale.ROOT)); My solution to this was to create a custom HttpTransportPropertiesImplCustom that includes Negotiate and Kerberos This is my custom class. public class HttpTransportPropertiesImplCustom extends HttpTransportProperties { protected HttpVersion httpVersion; @Override public void setHttpVersion(Object httpVerion) { this.httpVersion = (HttpVersion) httpVerion; } @Override public Object getHttpVersion() { return this.httpVersion; } public static class Authenticator extends HTTPAuthenticator { private int port = -1; private String realm = null; public static final String NTLM = "NTLM"; public static final String DIGEST = "Digest"; public static final String BASIC = "Basic"; public static final String SPNEGO = "Negotiate"; public static final String KERBEROS = "Kerberos"; public int getPort() { return port; } public void setPort(int port) { this.port = port; } public String getRealm() { return realm; } public void setRealm(String realm) { this.realm = realm; } @Override public Object getAuthPolicyPref(String scheme) { if (BASIC.equals(scheme)) { return "Basic"; } else if (NTLM.equals(scheme)) { return "NTLM"; } else if (DIGEST.equals(scheme)) { return "Digest"; } else if (SPNEGO.equals(scheme)) { return "Negotiate"; } else if (KERBEROS.equals(scheme)) { return "Kerberos"; } return null; } } } With this now I have a valid schema for Negotiate but still can’t invoke my custom class. Debugging I see that the class used when the schema is Negotiate is SPNegoScheme of the package org.apache.http.impl.auth. It ignores my NegotiateSchemeCustom.class I also tried to create a custom SPNegoScheme with the code of NegotiateSchemeCustom.class but have other problems. But instead of trying to use this solution why my custom class NegotiateSchemeCustom.class isn’t used as the schema for Negotiate? I’m I missing some new configuration? Any help/suggestion is appreciated . Best Regards, Luis Silva
