I am trying to authenticate against a SOAP webservice using NTLM authentication as mentioned at Apache CXF with stack as following -
Every time I try and connect it refuses with 401 unauthorized access because it uses my underlying NT credentials which are not authorised instead of valid ones that I configured in code. (I had to modify jCIFS as it doesnt support SSL + NTLM to return HTTPs version of NtlmHttpURLConnection). Similar result when used HTTP Async mechanism.
String domainController = "xxx.xxx.xxx";
UniAddress dc = UniAddress.getByName(domainController, true);
jcifs.Config.setProperty("http.auth.ntlm.domain", "xxx.xxx.xxx");
jcifs.Config.setProperty("jcifs.smb.client.domain", "domain");
jcifs.Config.setProperty("jcifs.netbios.wins", dc.getHostAddress());
jcifs.Config.setProperty("jcifs.smb.client.soTimeout", "300000"); // 5 minutes
jcifs.Config.setProperty("jcifs.netbios.cachePolicy", "1200"); // 20 minutes
jcifs.Config.setProperty("jcifs.smb.client.username", USER);
jcifs.Config.setProperty("jcifs.smb.client.password", PWD);
//Register the jcifs URL handler to enable NTLM
jcifs.Config.registerSmbURLHandler();
HelloWorld src = new HelloWorld();
ClientProxyFactoryBean factory = new ClientProxyFactoryBean(new JaxWsClientFactoryBean());
factory.setServiceClass( IHelloWorld.class );
factory.setAddress(SERVICE_URL);
factory.setUsername(USER);
factory.setPassword(PWD);
IHelloWorld service = (IHelloWorld ) factory.create();
Client client = ClientProxy.getClient(service);
HTTPConduit http = (HTTPConduit) client.getConduit();
System.out.println(http.getClass().getName());
//org.apache.cxf.transport.http.URLConnectionHTTPConduit
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
http.setClient(httpClientPolicy);
http.getAuthorization().setAuthorizationType("NTLM");
http.getAuthorization().setUserName(USER);
http.getAuthorization().setPassword(PWD);
http.getClient().setAllowChunking( false );
http.getClient().setAutoRedirect( true );
TLSClientParameters tcp = new TLSClientParameters();
tcp.setTrustManagers( new TrustManager[]{ new TrustAllX509TrustManager() } );
http.setTlsClientParameters( tcp );
System.out.println("Invoking service...");
String msg= "echo";
try {
String res = service.readMessage(msg);
System.out.println("readMessage.result=" + res);
} catch (Exception e) {
e.printStackTrace();
}
Upong running this code I get following exception trace
: domain\ is unauthorized user at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail(ClientFaultConverter.java:175) at org.apache.cxf.interceptor.ClientFaultConverter.handleMessage(ClientFaultConverter.java:78) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113) at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:845) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1624) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:632) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.frontend.ClientProxy.invoke(ClientProxy.java:81) at com.sun.proxy.$Proxy44.readMessage(Unknown Source)
After hours of struggle trying to juggle between JDK 5 stack and other SOAP framework like Axis2 and CXF, I finally manged to do with a raw SOAP client that can pretty much do the job I neeed. Following is code that helped get it done even with custom NT logins than underlying ones.
public final class JCIFSEngine implements NTLMEngine {
private static final int TYPE_1_FLAGS = NtlmFlags.NTLMSSP_NEGOTIATE_56
| NtlmFlags.NTLMSSP_NEGOTIATE_128
| NtlmFlags.NTLMSSP_NEGOTIATE_NTLM2
| NtlmFlags.NTLMSSP_NEGOTIATE_ALWAYS_SIGN
| NtlmFlags.NTLMSSP_REQUEST_TARGET;
public String generateType1Msg(final String domain, final String workstation)
throws NTLMEngineException {
final Type1Message type1Message = new Type1Message(TYPE_1_FLAGS,
domain, workstation);
return Base64.encode(type1Message.toByteArray());
}
public String generateType3Msg(final String username,
final String password, final String domain,
final String workstation, final String challenge)
throws NTLMEngineException {
Type2Message type2Message;
try {
type2Message = new Type2Message(Base64.decode(challenge));
} catch (final IOException exception) {
throw new NTLMEngineException("Invalid NTLM type 2 message",
exception);
}
final int type2Flags = type2Message.getFlags();
final int type3Flags = type2Flags
& (0xffffffff ^ (NtlmFlags.NTLMSSP_TARGET_TYPE_DOMAIN | NtlmFlags.NTLMSSP_TARGET_TYPE_SERVER));
final Type3Message type3Message = new Type3Message(type2Message,
password, domain, username, workstation, type3Flags);
return Base64.encode(type3Message.toByteArray());
}
}
public class JCIFSNTLMSchemeFactory implements AuthSchemeProvider {
public AuthScheme create(final HttpContext context) {
return new NTLMScheme(new JCIFSEngine());
}
}
The use HttpClient object to register custom NTLM Engine and Auth scheme registry -
protected Registry<AuthSchemeProvider> getAuthRegistry() {
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
.<AuthSchemeProvider> create()
.register(AuthSchemes.NTLM, new JCIFSNTLMSchemeFactory())
.build();
return authSchemeRegistry;
}
protected CredentialsProvider getCredentialsProvider(String user,
String pass, String domain) {
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST,
AuthScope.ANY_PORT, AuthScope.ANY_REALM, AuthSchemes.NTLM),
new NTCredentials(user, pass, null, domain));
return credsProvider;
}
HttpClientBuilder httpClientBuilder = HttpClients.custom();
httpClientBuilder.setDefaultAuthSchemeRegistry(getAuthRegistry());
httpClientBuilder
.setDefaultCredentialsProvider(getCredentialsProvider(
config.getUserName(), config.getPassword(),
config.getDomain()));
if (config.isProxy()) {
HttpHost proxy = new HttpHost(config.getProxyHost(),
config.getPort());
httpClientBuilder.setProxy(proxy);
}
httpClientBuilder.build();
Hope this helps someone with similar issue. Cheers