Proxy Problem - Part 2 NTLM Auth
25 views
Skip to first unread message
Daniel Koller
Nov 12, 2008, 2:34:26 AM11/12/08
to esme...@googlegroups.com
FYI from my experiment to setup ESME company internal
Kind regards,
daniel
---
Good morning,
- ESME accepts the proxy information from
the Properties-File, that means the proxy is mentioned in the
esme-log.
- I mean while managed to let Tomcat run under a non-local
user to approach the proxy (local users - as far as i know - cannot pass the
proxy anyway)
- Now Tomcat tells me that NTLM Credentials cannot be used
with a java class call UserPasswordCredentials...
#update: if just found this on the apache
pages:
"...
There are some significant differences in the way that NTLM works compared with basic and digest authentication. These differences are generally handled by HttpClient, however having an understanding of these differences can help avoid problems when using NTLM authentication.
- NTLM authentication works almost exactly the same as any other form of authentication in terms of the HttpClient API. The only difference is that you need to supply 'NTCredentials' instead of 'UsernamePasswordCredentials' (NTCredentials actually extends UsernamePasswordCredentials so you can use NTCredentials right throughout your application if need be).
- The realm for NTLM authentication is the domain name of the computer being connected to, this can be troublesome as servers often have multiple domain names that refer to them. Only the domain name that HttpClient connects to (as specified by the HostConfiguration) is used to look up the credentials. It is generally advised that while initially testing NTLM authentication, you pass the realm in as null which is used as the default.
- NTLM authenticates a connection and not a request, so you need to authenticate every time a new connection is made and keeping the connection open during authentication is vital. Due to this, NTLM cannot be used to authenticate with both a proxy and the server, nor can NTLM be used with HTTP 1.0 connections or servers that do not support HTTP keep-alives.
..."
The
first part could mena that you would need to change something in the esme-code
to allow ntlm-auth.
Just
as an information for you, now heading to day-long workshop. I can try "patch"
esme in this way to ntlm.. but the project may have to look how to work on it in
n organized way.
Kind
regard,
Daniel
--
---
Daniel Koller
Jahnstrasse 20
80469 München * dako...@googlemail.com
Hirsch, Richard
Nov 12, 2008, 5:12:11 AM11/12/08
to esme...@googlegroups.com
I'm using Tomcat on a Windows box and I installed Tomcat with the normal installation. I'm logging on with the local "SYSTEM" user which I set on the "Log On" Tab of the Tomcat Configuration Tool.
Have you tried that? It worked for me.
D.
________________________________
Von: esme...@googlegroups.com im Auftrag von Daniel Koller
Gesendet: Mi 11/12/2008 08:34
An: esme...@googlegroups.com
Betreff: [ESME-dev] Proxy Problem - Part 2 NTLM Auth
FYI from my experiment to setup ESME company internal
Kind regards,
daniel
---
Good morning,
- ESME accepts the proxy information from the Properties-File, that means the proxy is mentioned in the esme-log.
- I mean while managed to let Tomcat run under a non-local user to approach the proxy (local users - as far as i know - cannot pass the proxy anyway)
- Now Tomcat tells me that NTLM Credentials cannot be used with a java class call UserPasswordCredentials...
#update: if just found this on the apache pages:
"...
There are some significant differences in the way that NTLM works compared with basic and digest authentication. These differences are generally handled by HttpClient, however having an understanding of these differences can help avoid problems when using NTLM authentication.
1. NTLM authentication works almost exactly the same as any other form of authentication in terms of the HttpClient API. The only difference is that you need to supply 'NTCredentials' instead of 'UsernamePasswordCredentials' (NTCredentials actually extends UsernamePasswordCredentials so you can use NTCredentials right throughout your application if need be).
2. The realm for NTLM authentication is the domain name of the computer being connected to, this can be troublesome as servers often have multiple domain names that refer to them. Only the domain name that HttpClient connects to (as specified by the HostConfiguration) is used to look up the credentials. It is generally advised that while initially testing NTLM authentication, you pass the realm in as null which is used as the default.
3. NTLM authenticates a connection and not a request, so you need to authenticate every time a new connection is made and keeping the connection open during authentication is vital. Due to this, NTLM cannot be used to authenticate with both a proxy and the server, nor can NTLM be used with HTTP 1.0 connections or servers that do not support HTTP keep-alives.
Have you tried that? It worked for me.
D.
________________________________
Von: esme...@googlegroups.com im Auftrag von Daniel Koller
Gesendet: Mi 11/12/2008 08:34
An: esme...@googlegroups.com
Betreff: [ESME-dev] Proxy Problem - Part 2 NTLM Auth
FYI from my experiment to setup ESME company internal
Kind regards,
daniel
---
Good morning,
- ESME accepts the proxy information from the Properties-File, that means the proxy is mentioned in the esme-log.
- I mean while managed to let Tomcat run under a non-local user to approach the proxy (local users - as far as i know - cannot pass the proxy anyway)
- Now Tomcat tells me that NTLM Credentials cannot be used with a java class call UserPasswordCredentials...
#update: if just found this on the apache pages:
"...
There are some significant differences in the way that NTLM works compared with basic and digest authentication. These differences are generally handled by HttpClient, however having an understanding of these differences can help avoid problems when using NTLM authentication.
2. The realm for NTLM authentication is the domain name of the computer being connected to, this can be troublesome as servers often have multiple domain names that refer to them. Only the domain name that HttpClient connects to (as specified by the HostConfiguration) is used to look up the credentials. It is generally advised that while initially testing NTLM authentication, you pass the realm in as null which is used as the default.
3. NTLM authenticates a connection and not a request, so you need to authenticate every time a new connection is made and keeping the connection open during authentication is vital. Due to this, NTLM cannot be used to authenticate with both a proxy and the server, nor can NTLM be used with HTTP 1.0 connections or servers that do not support HTTP keep-alives.
Daniel Koller
Nov 12, 2008, 8:52:29 AM11/12/08
to esme-dev
Hi,
this limitation that the local system user cannot pass the proxy is a
technical limitation setup by the company...it is not related to a
problem with apache, oder tomcat or esme.
Kind regards,
Daniel
On Nov 12, 11:12 am, "Hirsch, Richard" <richard.hir...@siemens.com>
wrote:
this limitation that the local system user cannot pass the proxy is a
technical limitation setup by the company...it is not related to a
problem with apache, oder tomcat or esme.
Kind regards,
Daniel
On Nov 12, 11:12 am, "Hirsch, Richard" <richard.hir...@siemens.com>
wrote:
Daniel Koller
Nov 14, 2008, 6:07:30 AM11/14/08
to esme-dev
Hi,
perhaps to rephrase the question:
- Where in the ESME code would you have to start to use the
NTCredentials-Class instead of the UsernamePasswordCredentials class
for accessing a proxy?
Kind regards,
Daniel
perhaps to rephrase the question:
- Where in the ESME code would you have to start to use the
NTCredentials-Class instead of the UsernamePasswordCredentials class
for accessing a proxy?
Kind regards,
Daniel
Darren Hague
Nov 14, 2008, 6:44:24 PM11/14/08
to esme-dev
Hi Daniel,
I think the answer to your question is "not in the ESME code", because
the proxy is being accessed as part of the OpenID authentication,
which is handled by the OpenID4Java library (http://code.google.com/p/
openid4java/). Specifically, you want the class
org.openid4java.util.HttpClientFactory.java.
Hope this helps,
Darren
I think the answer to your question is "not in the ESME code", because
the proxy is being accessed as part of the OpenID authentication,
which is handled by the OpenID4Java library (http://code.google.com/p/
openid4java/). Specifically, you want the class
org.openid4java.util.HttpClientFactory.java.
Hope this helps,
Darren
Dick Hirsch
Nov 14, 2008, 11:10:07 PM11/14/08
to esme-dev
What about if we edited the ESMEOpenIDConsumer class in the User.scala
file so that it also had the ability to set user name and password for
the proxy. Now we just have host and port.
If you look at the open-id code,
http://www.google.com/codesearch?hl=en&q=show:6XrQUK_0F-4:OkYiFfjaUhg:6XrQUK_0F-4&sa=N&ct=rd&cs_p=http://openid4java.googlecode.com/svn/trunk&cs_f=src/org/openid4java/util/ProxyProperties.java,
you will see that it is also possible there to set user name and
password but that this is currently not supported by esme.
I'm assuming that if this was possible, then this might solve Daniel's
problem.
D.
> > > > D.- Hide quoted text -
>
> - Show quoted text -
file so that it also had the ability to set user name and password for
the proxy. Now we just have host and port.
If you look at the open-id code,
http://www.google.com/codesearch?hl=en&q=show:6XrQUK_0F-4:OkYiFfjaUhg:6XrQUK_0F-4&sa=N&ct=rd&cs_p=http://openid4java.googlecode.com/svn/trunk&cs_f=src/org/openid4java/util/ProxyProperties.java,
you will see that it is also possible there to set user name and
password but that this is currently not supported by esme.
I'm assuming that if this was possible, then this might solve Daniel's
problem.
D.
>
> - Show quoted text -
Daniel Koller
Nov 16, 2008, 1:10:42 PM11/16/08
to esme-dev
Hi,
I assume this to, togther with an additonal option which auth class
should be used by the User class (as the NTCredentials class ->
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/NTCredentials.html
is behaving differently than the currently used
UsernamePasswordCredentials Class -->
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/UsernamePasswordCredentials.html)
NTCredentials e.g. expects additional parameters, which you cannot
give to UsernamePasswordCredentials Class.
Nevertheless I am happy about the hint with the User class: when i am
in the office again try to patch the user class in order to make it
using NTCredentials.
Kind regards,
Daniel
On 15 Nov., 05:10, Dick Hirsch <richard.hir...@siemens.com> wrote:
> What about if we edited the ESMEOpenIDConsumer class in the User.scala
> file so that it also had the ability to set user name and password for
> the proxy. Now we just have host and port.
>
> If you look at the open-id code,http://www.google.com/codesearch?hl=en&q=show:6XrQUK_0F-4:OkYiFfjaUhg...,
I assume this to, togther with an additonal option which auth class
should be used by the User class (as the NTCredentials class ->
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/NTCredentials.html
is behaving differently than the currently used
UsernamePasswordCredentials Class -->
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/UsernamePasswordCredentials.html)
NTCredentials e.g. expects additional parameters, which you cannot
give to UsernamePasswordCredentials Class.
Nevertheless I am happy about the hint with the User class: when i am
in the office again try to patch the user class in order to make it
using NTCredentials.
Kind regards,
Daniel
On 15 Nov., 05:10, Dick Hirsch <richard.hir...@siemens.com> wrote:
> What about if we edited the ESMEOpenIDConsumer class in the User.scala
> file so that it also had the ability to set user name and password for
> the proxy. Now we just have host and port.
>
Dick Hirsch
Nov 17, 2008, 2:35:38 AM11/17/08
to esme-dev
Changing UsernamePasswordCredentials to NTCredentials is not possible
within ESME. The User.scala class calls the HttpClientFactory which is
located within the org.openid4java package. The switch must take place
in this class. Therefore, this issue should probably be placed on the
openid4java project issue list.
D.
> > > - Show quoted text -- Hide quoted text -
within ESME. The User.scala class calls the HttpClientFactory which is
located within the org.openid4java package. The switch must take place
in this class. Therefore, this issue should probably be placed on the
openid4java project issue list.
D.
> I assume this to, togther with an additonal option which auth class
> should be used by the User class (as the NTCredentials class ->http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpcl...
> is behaving differently than the currently used
> UsernamePasswordCredentials Class -->http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpcl...)
Daniel Koller
Nov 20, 2008, 2:53:33 PM11/20/08
to esme-dev
Hi all,
to conclude this topic: a patched openid-jar file (using explicitly
NTCredentials) helped to cross the proxy.
Regarding my proposal to include some kind of switching proxy methods
the openid project rejected that this would be a problem regarding
rights (which I cannot judge on)
Kind regards,
Daniel
to conclude this topic: a patched openid-jar file (using explicitly
NTCredentials) helped to cross the proxy.
Regarding my proposal to include some kind of switching proxy methods
the openid project rejected that this would be a problem regarding
rights (which I cannot judge on)
Kind regards,
Daniel
Reply all
Reply to author
Forward
0 new messages