On Thu December 3 2009 6:16:03 am Pink, Simon (AGCS) wrote: > I agree it does seem pointless, unfortunately my infrastructure demands > that I do just this, that is, NTLM over HTTPS. > > I _might_ be able to get away with just using NTLM over HTTP so long as it > does over the wire encryption. I'm not an NTLM expert; can someone confirm > if JCIFS/NTLM does encrypt ALL messages?
It definitely wouldn't. :-( > Windows NTLM does 'just work', but it runs using the underlying users > credentials, and it doesn't run on Linux - so it counts itself out as an > option unfortunately. I think your only option is to download the jcifs source and update it to support HttpsURLConnections. Probably copy: http://jcifs.samba.org/src/src/jcifs/http/NtlmHttpURLConnection.java To an HTTPS variant and override (and pass through) the various HTTPs related methods and update http://jcifs.samba.org/src/src/jcifs/http/Handler.java openConnection method to return the https version if it's an https connection. Nothing major, but not something we at Apache can do since jcifs is LGPL. Then submit it all back to jcifs as an enhancement. The OTHER alternative would be to find all the places in CXF where we need to assume it's a HttpsURLConnection and, if it's not, use reflection to see if there is a "connection" field that IS and HttpsURLConnection and use that. The four places I know of are: org.apache.cxf.transport.https.HttpsURLConnectionFactory org.apache.cxf.transport.https.HttpsURLConnectionInfo org.apache.cxf.transport.https.CertConstraintsInterceptor org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider The last two could probably just check some other flag (like even the URL) on the message and avoid the instanceof. Patches to accomplish all that would be welcome. :-) Dan > > -----Original Message----- > Subject: Re: Using CXF with NTLM authentication as well as SSL/HTTPS > > > You would probably need to log a bug with jcifs. > > That said, I expect they are going to say something along the lines of NTLM > with SSL/HTTPS is completely redundant and not worth supporting. With > SSL/HTTPS, the channel is already encrypted. Thus, the extra protection > offered by NTLM is not needed. The NTLM stuff also extracts a > performance hit due to the handshaking required. > > Thus, I would suggest ntlm (or digest) auth for http and just use basic > auth for https. > > The only other alternative that I'm aware of is the NTLM stuff built into > the JDK on Windows. That PROBABLY "just works" (built into the jdk's > HttpURLConnection object), but that's obviously windows only. > > Dan > > On Tue December 1 2009 11:07:09 am Pink, Simon (AGCS) wrote: > > I cannot seem to get jcifs NTLM working with SSL/HTTPS. I get the > > following exception: > > > > java.lang.NoSuchMethodException<http://java.sun.com/javase/6/docs/api/jav > >a /lang/NoSuchMethodException.html>: > > jcifs.http.NtlmHttpURLConnection.getSSLSocketFactory() > > > > In a nutshell, CXF is trying to decorate the > > javax.net.ssl.HttpsURLConnection.getSSLSocketFactory method - but NTLM > > has replaced the https connection with its own handler: > > NtlmHttpURLConnection. The CXF handler doesn't support SSL. Is it > > actually possible to use both SSL and NTLM using CXF (or any other JAX-WS > > implementation)? > > > > I'm banging my head against a wall at the moment! Any help would be > > greatly appreciated. > > > > Code: > > I am using the NTLM > > > > Authentication<http://cwiki.apache.org/CXF20DOC/client-http-transport-inc > >l uding-ssl-support.html> example almost verbatim, and then used a conduit > > to allow HTTPS: > > > > //Set the jcifs properties > > jcifs.Config.setProperty("jcifs.smb.client.domain", "my.domain.com"); > > jcifs.Config.setProperty("jcifs.netbios.wins", "my.wins.server.com"); > > jcifs.Config.setProperty("jcifs.smb.client.soTimeout", "300000"); //5 > > minutes jcifs.Config.setProperty("jcifs.netbios.cachePolicy", "1200"); > > //20 minutes // jcifs.Config.setProperty("jcifs.smb.client.username", > > "myNTLogin"); // > > jcifs.Config.setProperty("jcifs.smb.client.password", "secret"); > > > > //Register the jcifs URL handler to enable NTLM > > jcifs.Config.registerSmbURLHandler(); > > > > ClientProxyFactoryBean factory = new ClientProxyFactoryBean(new > > JaxWsClientFactoryBean()); > > > > factory.setServiceClass( ListsSoap.class ); > > factory.setAddress( "https://my.service.endpoint.url"; ); > > ListsSoap client = (ListsSoap) factory.create(); > > Client proxy = ClientProxy.getClient( client ); > > > > HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); > > httpClientPolicy.setConnectionTimeout(36000); > > httpClientPolicy.setAllowChunking(false); > > > > HTTPConduit conduit = (HTTPConduit) proxy.getConduit(); > > conduit.setClient(httpClientPolicy); > > TLSClientParameters tcp = new TLSClientParameters(); > > tcp.setTrustManagers( new TrustManager[]{ new > > TrustAllX509TrustManager() } ); conduit.setTlsClientParameters( tcp ); > > > > GetListCollectionResult col = client.getListCollection(); > > System.out.println(col); > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
