|
5
|
1 NTLM support in HttpClient 4.x
|
|
|
2 ==============================
|
|
|
3
|
|
|
4 Currently HttpClient 4.0 does not provide support for the NTLM authentication
|
|
|
5 scheme out of the box and probably never will. The reasons for that are legal
|
|
|
6 rather than technical.
|
|
|
7
|
|
|
8 Background
|
|
|
9 ==========
|
|
|
10 NTLM is a proprietary authentication scheme developed by Microsoft and
|
|
|
11 optimized for Windows operating system.
|
|
|
12
|
|
|
13 Until year 2008 there was no official, publicly available, complete
|
|
|
14 documentation of the protocol. Unofficial 3rd party protocol descriptions
|
|
|
15 existed [1] as a result of reverse-engineering efforts. It was not really
|
|
|
16 known whether the protocol based on the reverse-engineering were complete
|
|
|
17 or even correct.
|
|
|
18
|
|
|
19 Microsoft published MS-NLMP [2] and MS-NTHT [3] specifications in February
|
|
|
20 2008 as a part of its Interoperability Principles initiative [4].
|
|
|
21 Unfortunately, it is still not entirely clear whether NTLM encryption
|
|
|
22 algorithms are covered by any patents held by Microsoft, which would make
|
|
|
23 commercial users of open-source NTLM implementations liable for the use of
|
|
|
24 Microsoft intellectual property.
|
|
|
25
|
|
|
26 Enabling NTLM support in HttpClient 4.x
|
|
|
27 =======================================
|
|
|
28 The good news is HttpClient is fully NTLM capable right out of the box.
|
|
|
29 HttpClient ships with the NTLM authentication scheme, which, if configured
|
|
|
30 to use an external NTLM engine, can handle NTLM challenges and authenticate
|
|
|
31 against NTLM servers.
|
|
|
32
|
|
|
33 -----------------------------------------------------------
|
|
|
34 public interface NTLMEngine {
|
|
|
35
|
|
|
36 String generateType1Msg(
|
|
|
37 String domain,
|
|
|
38 String workstation) throws NTLMEngineException;
|
|
|
39
|
|
|
40 String generateType3Msg(
|
|
|
41 String username,
|
|
|
42 String password,
|
|
|
43 String domain,
|
|
|
44 String workstation,
|
|
|
45 String challenge) throws NTLMEngineException;
|
|
|
46
|
|
|
47 }
|
|
|
48 -----------------------------------------------------------
|
|
|
49
|
|
|
50 Using Samba JCIFS as an NTLM engine
|
|
|
51 ===================================
|
|
|
52 Follow these instructions to build an NTLMEngine implementation using JCIFS
|
|
|
53 library
|
|
|
54
|
|
|
55 =========== !!!! DISCLAIMER !!!! ===========
|
|
|
56 HttpComponents project DOES _NOT_ SUPPORT the code provided below. Use it as
|
|
|
57 is at your own discretion.
|
|
|
58
|
|
|
59 * Download the latest jcifs library from the Samba web site [5]
|
|
|
60 * Implement NTLMEngine interface
|
|
|
61 -----------------------------------------------------------
|
|
|
62 import jcifs.ntlmssp.Type1Message;
|
|
|
63 import jcifs.ntlmssp.Type2Message;
|
|
|
64 import jcifs.ntlmssp.Type3Message;
|
|
|
65 import jcifs.util.Base64;
|
|
|
66
|
|
|
67 import org.apache.http.impl.auth.NTLMEngine;
|
|
|
68 import org.apache.http.impl.auth.NTLMEngineException;
|
|
|
69
|
|
|
70 public class JCIFSEngine implements NTLMEngine {
|
|
|
71
|
|
|
72 public String generateType1Msg(
|
|
|
73 String domain,
|
|
|
74 String workstation) throws NTLMEngineException {
|
|
|
75
|
|
|
76 Type1Message t1m = new Type1Message(
|
|
|
77 Type1Message.getDefaultFlags(),
|
|
|
78 domain,
|
|
|
79 workstation);
|
|
|
80 return Base64.encode(t1m.toByteArray());
|
|
|
81 }
|
|
|
82
|
|
|
83 public String generateType3Msg(
|
|
|
84 String username,
|
|
|
85 String password,
|
|
|
86 String domain,
|
|
|
87 String workstation,
|
|
|
88 String challenge) throws NTLMEngineException {
|
|
|
89 Type2Message t2m;
|
|
|
90 try {
|
|
|
91 t2m = new Type2Message(Base64.decode(challenge));
|
|
|
92 } catch (IOException ex) {
|
|
|
93 throw new NTLMEngineException("Invalid Type2 message", ex);
|
|
|
94 }
|
|
|
95 Type3Message t3m = new Type3Message(
|
|
|
96 t2m,
|
|
|
97 password,
|
|
|
98 domain,
|
|
|
99 username,
|
|
|
100 workstation);
|
|
|
101 return Base64.encode(t3m.toByteArray());
|
|
|
102 }
|
|
|
103
|
|
|
104 }
|
|
|
105 -----------------------------------------------------------
|
|
|
106 * Implement AuthSchemeFactory interface
|
|
|
107 -----------------------------------------------------------
|
|
|
108 import org.apache.http.auth.AuthScheme;
|
|
|
109 import org.apache.http.auth.AuthSchemeFactory;
|
|
|
110 import org.apache.http.impl.auth.NTLMScheme;
|
|
|
111 import org.apache.http.params.HttpParams;
|
|
|
112
|
|
|
113 public class NTLMSchemeFactory implements AuthSchemeFactory {
|
|
|
114
|
|
|
115 public AuthScheme newInstance(final HttpParams params) {
|
|
|
116 return new NTLMScheme(new JCIFSEngine());
|
|
|
117 }
|
|
|
118
|
|
|
119 }
|
|
|
120 -----------------------------------------------------------
|
|
|
121 * Register NTLMSchemeFactory with the HttpClient instance you want to NTLM
|
|
|
122 enable.
|
|
|
123 -----------------------------------------------------------
|
|
|
124 httpclient.getAuthSchemes().register("ntlm", new NTLMSchemeFactory());
|
|
|
125 -----------------------------------------------------------
|
|
|
126 * Set NTCredentials for the web server you are going to access.
|
|
|
127 -----------------------------------------------------------
|
|
|
128 httpclient.getCredentialsProvider().setCredentials(
|
|
|
129 new AuthScope("myserver", -1),
|
|
|
130 new NTCredentials("username", "password", "MYSERVER", "MYDOMAIN"));
|
|
|
131 -----------------------------------------------------------
|
|
|
132 * You are done.
|
|
|
133
|
|
|
134
|
|
|
135 Why this code is not distributed with HttpClient
|
|
|
136 ================================================
|
|
|
137 JCIFS is licensed under the Lesser General Public License (LGPL). This license
|
|
|
138 is not compatible with the Apache Licenses under which all Apache Software is
|
|
|
139 released. Lawyers of the Apache Software Foundation are currently investigating
|
|
|
140 under which conditions Apache software is allowed to make use of LGPL software.
|
|
|
141
|
|
|
142 -----------------------------------------------------------
|
|
|
143 [1] http://davenport.sourceforge.net/ntlm.html
|
|
|
144 [2] http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf
|
|
|
145 [3] http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NTHT%5D.pdf
|
|
|
146 [4] http://www.microsoft.com/interop/principles/default.mspx
|
|
|
147 [5] http://jcifs.samba.org/
|
