Hi Robert,

Thanks for your response, I’m going to take a look on the option using 
cached_http_client, but I will wait for the upcoming 5.x release to implement 
my upgrade.

Thanks again,
Luis Silva

From: robertlazarski <robertlazar...@gmail.com>
Sent: Saturday, 17 February 2024 01:00
To: java-user@axis.apache.org
Subject: Re: [Axis2] - Problem with authentication Negotiate

To further clarify, see the example using CACHED_HTTP_CLIENT below; however 
that example is going to change slightly soon for httpclient 5.x.

https://axis.apache.org/axis2/java/core/docs/http-transport.html

On Fri, Feb 16, 2024 at 2:57 PM robertlazarski 
<robertlazar...@gmail.com<mailto:robertlazar...@gmail.com>> wrote:
I looked more into this and I found AXIS2-4318 from 2012 which states the 
reason for dropping the support of those features below.

Keep in mind that Axis2 1.6.x was the era of commons-httpclient 3.x. While 4.x 
is currently in our trunk, these next several days I will be upgrading to 5.x 
so anything we do here needs to work with the latest Apache httpclient release.

https://issues.apache.org/jira/browse/AXIS2-4318

3) drop authenticator preemptive authentication support

Preemptive authentication is considered unsecure and is strongly discouraged. 
Moreover the code found in examples: 
http://hc.apache.org/httpcomponents-client/examples.html is no longer 
officially supported. Which means that we should drop preemptive authentication 
support from the trunk; alternatively we can allow a number of pluggable 
mechanisms to allow users to enable preemptive auth. The user would have to 
provide HttpRequestInterceptor and HttpResponseInterceptor implementations as 
well as a means to properties to configure a BasicHttpContext for use with the 
HttpClient. As a workaround/alternative the user could fully initialize it's 
own AbstractHttpClient instance and pass it through the existing 
CACHED_HTTP_CLIENT option.

On Wed, Feb 7, 2024 at 5:48 AM Luis Silva 
<luis.gc.si...@redshift.pt.invalid<mailto:luis.gc.si...@redshift.pt.invalid>> 
wrote:
Hi Robert,

All help is welcome. If necessary, I’m available to help with testing.

Best Regard’s,
Luis Silva


From: robertlazarski <robertlazar...@gmail.com<mailto:robertlazar...@gmail.com>>
Sent: Wednesday, 7 February 2024 15:29
To: java-user@axis.apache.org<mailto:java-user@axis.apache.org>
Subject: Re: [Axis2] - Problem with authentication Negotiate

It might take me a few days to look at this but I can probably help.


I'm about to make commits that upgrade Axis2 from httpclient 4.x to 5.x for the 
next release and this feature will need to be fixed for that too.

On Wed, Feb 7, 2024 at 4:32 AM Luis Silva 
<luis.gc.si...@redshift.pt.invalid<mailto:luis.gc.si...@redshift.pt.invalid>> 
wrote:
Hi,

I’m having a problem upgrading one application that uses axis2 version 1.6.0 to 
the 1.8.2 version.
The situation is that I’m trying to connect to one IIS webservice from a linux 
server, and the IIS use in the authentication Negotiate. In version 1.6.0 its 
working using a custom class to handle the request.
I try to upgrade the client part to use axis2 1.8.2 but there are changes on 
axis in HttpTransportProperties class that now doesn’t have Authenticator. I’m 
trying to use the HttpTransportPropertiesImpl class but it’s not working.
Using HttpTransportPropertiesImpl I can’t use the custom class that handles the 
Negotiate authentication. I’m going to expose the situation using the code.

This is the code using axis2 1.6.0, and using wsdl2java to create the stub

ProfilesStub stub = new ProfilesStub(wsURL);  // Stub created by wsdl2java
System.setProperty("java.security.auth.login.config", kbr5LoginConfigFile);
System.setProperty("java.security.krb5.conf", kbr5ConfigFile);
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("java.security.debug", 
"logincontext,policy,scl,gssloginconfig");

AuthPolicy.unregisterAuthScheme("BASIC");
AuthPolicy.unregisterAuthScheme("DIGEST");
AuthPolicy.unregisterAuthScheme("NTLM");

ArrayList authSchemes = new ArrayList();
if ( AuthSchemeId.equals("Negotiate") )  // <-- I’m using AuthSchemeId=Negotiate
{
      AuthPolicy.registerAuthScheme("Negotiate", NegotiateSchemeCustom.class);  
 //<-- the custom class that handles the Negotiate authentication
       authSchemes.add("Negotiate");
}
else
{
 if ( AuthSchemeId.equals("Kerberos") )
  {
        AuthPolicy.registerAuthScheme("Kerberos", KerberosSchemeCustom.class);
        authSchemes.add("Kerberos");            }
        else
           throw new Exception("Invalid authentication scheme '" + 
(AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'");
 }

       HttpTransportProperties.Authenticator auth = new 
HttpTransportProperties.Authenticator();
        auth.setDomain(userDomain);
        auth.setHost((new URL(wsURL)).getHost());
        java.util.Properties properties = new java.util.Properties();
        // absolute from the classpath
        String configFileName = "wsURL.config";
        try
        {
            properties.load(new java.io.FileInputStream(configFileName));
        }
        catch ( Exception exception )
        {
            System.out.println("ERROR oppening file " + configFileName + "--");
            System.out.println("EX:" + exception.getMessage() +"--");
        }
        String username = properties.getProperty("username");
        String password = properties.getProperty("password");

        auth.setUsername(username);
        auth.setPassword(password);

        auth.setAuthSchemes(authSchemes);

        HttpParams params = DefaultHttpParams.getDefaultParams();
        params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authSchemes);

        Options options = stub._getServiceClient().getOptions();
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, 
auth);
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, 
Boolean.FALSE);
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT,
 "true");

        stub._getServiceClient().setOptions(options);

       GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // GetUserInfo 
class created by wsdl2java
        userInfo.setSUserName(userName);
        userInfo.setSDomain(domain);
        userInfo.setSApplication(application);

        GetUserInfoDocument getUserInfoDocument = 
GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class created 
by wsdl2java

       getUserInfoDocument.setGetUserInfo(userInfo);

        GetUserInfoResponseDocument response = 
stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, 
GetUserInfoResponseDocument class created by wsdl2java
        String userData = 
response.getGetUserInfoResponse().getGetUserInfoResult().toString();

And using trace on the NegotiateSchemeCustom.class I confirm that this class is 
used
In the class
public NegotiateSchemeCustom () {
        super();
        state = UNINITIATED;
        System.out.println("Created NegotiateSchemeCustom()");
    }

The output
Jan 31, 2024 5:09:09 PM 
org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
INFO: negotiate authentication scheme selected
Created NegotiateSchemeCustom()

And the invocation is successful.

But when I try using 1.8.2 version

ProfilesStub stub = new ProfilesStub(wsURL);  // Stub created by wsdl2java 
version 1.8.2
System.setProperty("java.security.auth.login.config", kbr5LoginConfigFile);
System.setProperty("java.security.krb5.conf", kbr5ConfigFile);
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("java.security.debug", 
"logincontext,policy,scl,gssloginconfig");

AuthPolicy.unregisterAuthScheme("BASIC");
AuthPolicy.unregisterAuthScheme("DIGEST");
AuthPolicy.unregisterAuthScheme("NTLM");

ArrayList authSchemes = new ArrayList();
if ( AuthSchemeId.equals("Negotiate") )  // <-- I’m using AuthSchemeId=Negotiate
{
      AuthPolicy.registerAuthScheme("Negotiate", NegotiateSchemeCustom.class);  
 //<-- the custom class that handles the Negotiate authentication, same as the 
1.6.0
       authSchemes.add("Negotiate");
}
else
{
 if ( AuthSchemeId.equals("Kerberos") )
  {
        AuthPolicy.registerAuthScheme("Kerberos", KerberosSchemeCustom.class);
        authSchemes.add("Kerberos");            }
        else
           throw new Exception("Invalid authentication scheme '" + 
(AuthSchemeId == null ? "(null)" : AuthSchemeId) + "'");
 }

       HttpTransportPropertiesImpl.Authenticator auth = new 
HttpTransportPropertiesImpl.Authenticator(); // <-- Using 
HttpTransportPropertiesImpl that has Authenticator
        auth.setDomain(userDomain);
        auth.setHost((new URL(wsURL)).getHost());
        java.util.Properties properties = new java.util.Properties();
        // absolute from the classpath
        String configFileName = "wsURL.config";
        try
        {
            properties.load(new java.io.FileInputStream(configFileName));
        }
        catch ( Exception exception )
        {
            System.out.println("ERROR oppening file " + configFileName + "--");
            System.out.println("EX:" + exception.getMessage() +"--");
        }
        String username = properties.getProperty("username");
        String password = properties.getProperty("password");

        auth.setUsername(username);
        auth.setPassword(password);

        auth.setAuthSchemes(authSchemes);

        HttpParams params = DefaultHttpParams.getDefaultParams();
        params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authSchemes);

        Options options = stub._getServiceClient().getOptions();
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, 
auth);
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, 
Boolean.FALSE);
        
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.REUSE_HTTP_CLIENT,
 "true");

        stub._getServiceClient().setOptions(options);

       GetUserInfo userInfo = GetUserInfo.Factory.newInstance(); // GetUserInfo 
class created by wsdl2java
        userInfo.setSUserName(userName);
        userInfo.setSDomain(domain);
        userInfo.setSApplication(application);

        GetUserInfoDocument getUserInfoDocument = 
GetUserInfoDocument.Factory.newInstance();// GetUserInfoDocument class created 
by wsdl2java

       getUserInfoDocument.setGetUserInfo(userInfo);

        GetUserInfoResponseDocument response = 
stub.getUserInfo(getUserInfoDocument); // getUserInfo method to invoke, 
GetUserInfoResponseDocument class created by wsdl2java
        String userData = 
response.getGetUserInfoResponse().getGetUserInfoResult().toString();

My problems started, first is with HttpTransportPropertiesImpl, it does not 
recognizes Negotiate schema.
I checked the code and when the method getAuthPolicyPref of the Authenticator 
class of the HttpTransportPropertiesImpl is called with Negotiate its returns 
null.
Where is part of the code of 
axis2-1.8.2\modules\transport\http\src\org\apache\axis2\transport\http\impl\httpclient4\HttpTransportPropertiesImpl.java
@Override
        public Object getAuthPolicyPref(String scheme) {
            if (BASIC.equals(scheme)) {
                return AuthPolicy.BASIC;
            } else if (NTLM.equals(scheme)) {
                return AuthPolicy.NTLM;
            } else if (DIGEST.equals(scheme)) {
                return AuthPolicy.DIGEST;
            }
            return null;
        }
There is no Negotiate so it returns null and in the AuthenticationStrategyImpl 
select method it causes one exception bellow, because id is null
for (final String id: authPrefs) {
            final Header challenge = 
challenges.get(id.toLowerCase(Locale.ROOT));

My solution to this was to create a custom HttpTransportPropertiesImplCustom 
that includes Negotiate and Kerberos
This is my custom class.
public class HttpTransportPropertiesImplCustom extends HttpTransportProperties {

    protected HttpVersion httpVersion;

    @Override
    public void setHttpVersion(Object httpVerion) {
        this.httpVersion = (HttpVersion) httpVerion;
    }

    @Override
    public Object getHttpVersion() {
        return this.httpVersion;
    }

    public static class Authenticator extends HTTPAuthenticator {

        private int port = -1;
        private String realm = null;

        public static final String NTLM = "NTLM";
        public static final String DIGEST = "Digest";
        public static final String BASIC = "Basic";
        public static final String SPNEGO = "Negotiate";
        public static final String KERBEROS = "Kerberos";

        public int getPort() {
            return port;
        }

        public void setPort(int port) {
            this.port = port;
        }

        public String getRealm() {
            return realm;
        }

        public void setRealm(String realm) {
            this.realm = realm;
        }

        @Override
        public Object getAuthPolicyPref(String scheme) {
            if (BASIC.equals(scheme)) {
                return "Basic";
            } else if (NTLM.equals(scheme)) {
                return "NTLM";
            } else if (DIGEST.equals(scheme)) {
                return "Digest";
            }
            else if (SPNEGO.equals(scheme)) {
                return "Negotiate";
            }
            else if (KERBEROS.equals(scheme)) {
                return "Kerberos";
            }
            return null;
        }
    }

}

With this now I have a valid schema for Negotiate but still can’t invoke my 
custom class. Debugging I see that the class used when the schema is Negotiate 
is SPNegoScheme of the package org.apache.http.impl.auth. It ignores my 
NegotiateSchemeCustom.class
I also tried to create a custom SPNegoScheme with the code of 
NegotiateSchemeCustom.class but have other problems.
But instead of trying to use this solution why my custom class  
NegotiateSchemeCustom.class isn’t used as the schema for Negotiate?
I’m I missing some new configuration?

Any help/suggestion is appreciated .

Best Regards,
Luis Silva

Reply via email to