Follow up to HTTPCLIENT-1383: fixes another infinite loop in case of an out of sequence NTLM response

Contributed by Ricardo Pereira <thc202 at gmail.com>

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1500629 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski 2013-07-08 09:28:50 +00:00
parent 9385b90c0a
commit b524b797c4
2 changed files with 40 additions and 5 deletions

View File

@ -109,6 +109,7 @@ public class NTLMScheme extends AuthSchemeBase {
} else {
if (this.state.compareTo(State.MSG_TYPE1_GENERATED) < 0) {
this.state = State.FAILED;
throw new MalformedChallengeException("Out of sequence NTLM response message");
} else if (this.state == State.MSG_TYPE1_GENERATED) {
this.state = State.MSG_TYPE2_RECEVIED;
}
@ -127,7 +128,9 @@ public class NTLMScheme extends AuthSchemeBase {
+ credentials.getClass().getName());
}
String response = null;
if (this.state == State.CHALLENGE_RECEIVED || this.state == State.FAILED) {
if (this.state == State.FAILED) {
throw new AuthenticationException("NTLM authentication failed");
} else if (this.state == State.CHALLENGE_RECEIVED) {
response = this.engine.generateType1Msg(
ntcredentials.getDomain(),
ntcredentials.getWorkstation());

View File

@ -178,6 +178,12 @@ public class TestClientAuthenticationFakeNTLM extends IntegrationTestBase {
static class NtlmType2MessageOnlyResponseHandler implements HttpRequestHandler {
private final String authenticateHeaderValue;
public NtlmType2MessageOnlyResponseHandler(final String type2Message) {
this.authenticateHeaderValue = "NTLM " + type2Message;
}
public void handle(
final HttpRequest request,
final HttpResponse response,
@ -187,15 +193,41 @@ public class TestClientAuthenticationFakeNTLM extends IntegrationTestBase {
HttpStatus.SC_UNAUTHORIZED,
"Authentication Required"));
response.setHeader("Connection", "Keep-Alive");
response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "NTLM TlRMTVNTUAACAA" +
"AADAAMADgAAAAzggLiASNFZ4mrze8AAAAAAAAAAAAAAAAAAAAABgBwFwAAAA9T" +
"AGUAcgB2AGUAcgA=");
response.setHeader(HttpHeaders.WWW_AUTHENTICATE, authenticateHeaderValue);
}
}
@Test
public void testNTLMType2MessageOnlyAuthenticationFailure() throws Exception {
this.localServer.register("*", new NtlmType2MessageOnlyResponseHandler());
this.localServer.register("*", new NtlmType2MessageOnlyResponseHandler("TlRMTVNTUAACAA" +
"AADAAMADgAAAAzggLiASNFZ4mrze8AAAAAAAAAAAAAAAAAAAAABgBwFwAAAA9T" +
"AGUAcgB2AGUAcgA="));
this.localServer.start();
final BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY,
new NTCredentials("test", "test", null, null));
this.httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.build();
final HttpContext context = HttpClientContext.create();
final HttpHost targethost = getServerHttp();
final HttpGet httpget = new HttpGet("/");
final HttpResponse response = this.httpclient.execute(targethost, httpget, context);
EntityUtils.consume(response.getEntity());
Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED,
response.getStatusLine().getStatusCode());
}
@Test
public void testNTLMType2NonUnicodeMessageOnlyAuthenticationFailure() throws Exception {
this.localServer.register("*", new NtlmType2MessageOnlyResponseHandler("TlRMTVNTUAACAA" +
"AABgAGADgAAAAyggLiASNFZ4mrze8AAAAAAAAAAAAAAAAAAAAABgBwFwAAAA9T" +
"ZXJ2ZXI="));
this.localServer.start();
final BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();