Updated NTLM guide based in input provided by Ron Jacobs <Ron.Jacobs at Reardencommerce.com>

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1095921 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski 2011-04-22 11:26:49 +00:00
parent bc70b1839a
commit f8bc43e3f0
2 changed files with 156 additions and 0 deletions

155
src/site/apt/ntlm.apt Normal file
View File

@ -0,0 +1,155 @@
~~ ====================================================================
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
~~ ====================================================================
~~
~~ This software consists of voluntary contributions made by many
~~ individuals on behalf of the Apache Software Foundation. For more
~~ information on the Apache Software Foundation, please see
~~ <http://www.apache.org/>.
----------
NTLM support in HttpClient
----------
----------
----------
NTLM support in HttpClient
* {Background}
NTLM is a proprietary authentication scheme developed by Microsoft and optimized for
Windows operating system.
Until year 2008 there was no official, publicly available, complete documentation of
the protocol. {{{http://davenport.sourceforge.net/ntlm.html}Unofficial}} 3rd party
protocol descriptions existed as a result of reverse-engineering efforts. It was not
really known whether the protocol based on the reverse-engineering were complete or
even correct.
Microsoft published {{{http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf}MS-NLMP}}
and {{{http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NTHT%5D.pdf}MS-NTHT}}
specifications in February 2008 as a part of its
{{{http://www.microsoft.com/interop/principles/default.mspx}Interoperability
Principles initiative}}.
HttpClient as of version 4.1 supports NTLMv1 and NTLMv2 authentication protocols out
of the box using a custom authentication engine. However, there can still be compatibility
issues with newer Microsoft products as the default NTLM engine implementation is still
relatively new. One can also use {{{http://jcifs.samba.org/}JCIFS}} as an alternative, more
established and mature NTLM engine developed by Samba project.
* {Using Samba JCIFS as an alternative NTLM engine}
Follow these instructions to build an NTLMEngine implementation using JCIFS library
<<!!!!DISCLAIMER !!!! HttpComponents project DOES _NOT_ SUPPORT the code provided below.
Use it as is at your own discretion>>.
* Download version 1.3.14 or newer of the JCIFS library from the
{{{http://jcifs.samba.org/}Samba}} web site
* Implement NTLMEngine interface
----------------------------------------
import java.io.IOException;
import jcifs.ntlmssp.NtlmFlags;
import jcifs.ntlmssp.Type1Message;
import jcifs.ntlmssp.Type2Message;
import jcifs.ntlmssp.Type3Message;
import jcifs.util.Base64;
import org.apache.http.impl.auth.NTLMEngine;
import org.apache.http.impl.auth.NTLMEngineException;
public final class JCIFSEngine implements NTLMEngine {
private static final int TYPE_1_FLAGS =
NtlmFlags.NTLMSSP_NEGOTIATE_56 |
NtlmFlags.NTLMSSP_NEGOTIATE_128 |
NtlmFlags.NTLMSSP_NEGOTIATE_NTLM2 |
NtlmFlags.NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
NtlmFlags.NTLMSSP_REQUEST_TARGET;
public String generateType1Msg(final String domain, final String workstation)
throws NTLMEngineException {
final Type1Message type1Message = new Type1Message(TYPE_1_FLAGS, domain, workstation);
return Base64.encode(type1Message.toByteArray());
}
public String generateType3Msg(final String username, final String password,
final String domain, final String workstation, final String challenge)
throws NTLMEngineException {
Type2Message type2Message;
try {
type2Message = new Type2Message(Base64.decode(challenge));
} catch (final IOException exception) {
throw new NTLMEngineException("Invalid NTLM type 2 message", exception);
}
final int type2Flags = type2Message.getFlags();
final int type3Flags = type2Flags
& (0xffffffff ^ (NtlmFlags.NTLMSSP_TARGET_TYPE_DOMAIN | NtlmFlags.NTLMSSP_TARGET_TYPE_SERVER));
final Type3Message type3Message = new Type3Message(type2Message, password, domain,
username, workstation, type3Flags);
return Base64.encode(type3Message.toByteArray());
}
}
----------------------------------------
* Implement AuthSchemeFactory interface
----------------------------------------
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthSchemeFactory;
import org.apache.http.impl.auth.NTLMScheme;
import org.apache.http.params.HttpParams;
public class NTLMSchemeFactory implements AuthSchemeFactory {
public AuthScheme newInstance(final HttpParams params) {
return new NTLMScheme(new JCIFSEngine());
}
}
----------------------------------------
* Register NTLMSchemeFactory with the HttpClient instance you want to NTLM
enable.
----------------------------------------
httpclient.getAuthSchemes().register("ntlm", new NTLMSchemeFactory());
----------------------------------------
* Set NTCredentials for the web server you are going to access.
----------------------------------------
httpclient.getCredentialsProvider().setCredentials(
new AuthScope("myserver", -1),
new NTCredentials("username", "password", "MYSERVER", "MYDOMAIN"));
-----------------------------------------------------------
* You are done.
* {Why this code is not distributed with HttpClient}
JCIFS is licensed under the Lesser General Public License (LGPL). This license
is not compatible with the Apache Licenses under which all Apache Software is
released. Lawyers of the Apache Software Foundation are currently investigating
under which conditions Apache software is allowed to make use of LGPL software.

View File

@ -36,6 +36,7 @@
<item name="Tutorial" href="tutorial/html/index.html"/> <item name="Tutorial" href="tutorial/html/index.html"/>
<item name="Examples" href="examples.html"/> <item name="Examples" href="examples.html"/>
<item name="Client HTTP Programming Primer" href="primer.html"/> <item name="Client HTTP Programming Primer" href="primer.html"/>
<item name="NTLM Guide" href="ntlm.html"/>
<item name="Logging" href="logging.html"/> <item name="Logging" href="logging.html"/>
</menu> </menu>
<menu name="Modules"> <menu name="Modules">