Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
4.5.3
-
Important
Description
I'm prototyping NTLM authentication with your 4.5 HTTP client and Spring RestTemplate. This currently fails with a org.apache.http.impl.auth.NTLMEngineException "NTLM authentication error: NTLM authentication - buffer too small for data item".
The code, wire log (below) and a simple standalone test application (attached) are included.
Code
RestTemplate restTemplate = new RestTemplate(); restTemplate.setRequestFactory(buildHttpComponentsClientHttpRequestFactory(args)); private static HttpComponentsClientHttpRequestFactory buildHttpComponentsClientHttpRequestFactory(String[] args) { PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(); cm.setMaxTotal(128); cm.setDefaultMaxPerRoute(24); RequestConfig.Builder requestBuilder = RequestConfig.custom().setConnectTimeout(5000).setSocketTimeout(10000); Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create() .register(AuthSchemes.NTLM, new NTLMSchemeFactory()) .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build(); CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, new NTCredentials(args[1], args[2], null, args[3])); HttpClientBuilder builder = HttpClientBuilder.create() .setConnectionManager(cm) .setDefaultRequestConfig(requestBuilder.build()) .setDefaultAuthSchemeRegistry(authSchemeRegistry) .setDefaultCredentialsProvider(credentialsProvider); return new HttpComponentsClientHttpRequestFactory(builder.build()); }
Wire log
23:21:22,983 | RestTemplate | Created GET request for "https://ntlm.herokuapp.com"
23:21:22,987 | RestTemplate | Setting request Accept header to [text/plain, */*]
23:21:22,997 | RequestAddCookies | CookieSpec selected: default
23:21:23,006 | RequestAuthCache | Auth cache not set in the context
23:21:23,007 | PoolingHttpClientConnectionManager | Connection request: [route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route allocated: 0 of 24; total allocated: 0 of 128]
23:21:23,029 | PoolingHttpClientConnectionManager | Connection leased: [id: 0][route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 0; route allocated: 1 of 24; total allocated: 1 of 128]
23:21:23,031 | MainClientExec | Opening connection {s}->https://ntlm.herokuapp.com:443
23:21:23,299 | DefaultHttpClientConnectionOperator | Connecting to ntlm.herokuapp.com/54.235.146.123:443
23:21:23,299 | SSLConnectionSocketFactory | Connecting socket to ntlm.herokuapp.com/54.235.146.123:443 with timeout 5000
23:21:23,581 | SSLConnectionSocketFactory | Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
23:21:23,582 | SSLConnectionSocketFactory | Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
23:21:23,582 | SSLConnectionSocketFactory | Starting handshake
23:21:23,989 | SSLConnectionSocketFactory | Secure session established
23:21:23,989 | SSLConnectionSocketFactory | negotiated protocol: TLSv1.2
23:21:23,989 | SSLConnectionSocketFactory | negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
23:21:23,990 | SSLConnectionSocketFactory | peer principal: CN=*.herokuapp.com, O="Heroku, Inc.", L=San Francisco, ST=California, C=US
23:21:23,990 | SSLConnectionSocketFactory | peer alternative names: [*.herokuapp.com, herokuapp.com]
23:21:23,990 | SSLConnectionSocketFactory | issuer principal: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
23:21:23,994 | DefaultHttpClientConnectionOperator | Connection established 172.19.1.229:63526<->54.235.146.123:443
23:21:23,994 | DefaultManagedHttpClientConnection | http-outgoing-0: set socket timeout to 10000
23:21:23,994 | MainClientExec | Executing request GET / HTTP/1.1
23:21:23,995 | MainClientExec | Target auth state: UNCHALLENGED
23:21:23,995 | MainClientExec | Proxy auth state: UNCHALLENGED
23:21:23,996 | headers | http-outgoing-0 >> GET / HTTP/1.1
23:21:23,996 | headers | http-outgoing-0 >> Accept: text/plain, */*
23:21:23,996 | headers | http-outgoing-0 >> Host: ntlm.herokuapp.com
23:21:23,996 | headers | http-outgoing-0 >> Connection: Keep-Alive
23:21:23,996 | headers | http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:21:23,996 | headers | http-outgoing-0 >> Accept-Encoding: gzip,deflate
23:21:23,996 | wire | http-outgoing-0 >> "GET / HTTP/1.1[\r][\n]"
23:21:23,996 | wire | http-outgoing-0 >> "Accept: text/plain, */*[\r][\n]"
23:21:23,997 | wire | http-outgoing-0 >> "Host: ntlm.herokuapp.com[\r][\n]"
23:21:23,997 | wire | http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
23:21:23,997 | wire | http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:21:23,997 | wire | http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
23:21:23,997 | wire | http-outgoing-0 >> "[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "HTTP/1.1 401 Unauthorized [\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Connection: keep-alive[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Www-Authenticate: NTLM[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Date: Thu, 16 Nov 2017 22:20:57 GMT[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Content-Length: 0[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "Via: 1.1 vegur[\r][\n]"
23:21:24,174 | wire | http-outgoing-0 << "[\r][\n]"
23:21:24,177 | headers | http-outgoing-0 << HTTP/1.1 401 Unauthorized
23:21:24,177 | headers | http-outgoing-0 << Connection: keep-alive
23:21:24,178 | headers | http-outgoing-0 << Www-Authenticate: NTLM
23:21:24,178 | headers | http-outgoing-0 << Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:21:24,178 | headers | http-outgoing-0 << Date: Thu, 16 Nov 2017 22:20:57 GMT
23:21:24,178 | headers | http-outgoing-0 << Content-Length: 0
23:21:24,178 | headers | http-outgoing-0 << Via: 1.1 vegur
23:21:24,181 | MainClientExec | Connection can be kept alive indefinitely
23:21:24,181 | HttpAuthenticator | Authentication required
23:21:24,183 | HttpAuthenticator | ntlm.herokuapp.com:443 requested authentication
23:21:24,184 | TargetAuthenticationStrategy | Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic]
23:21:24,184 | TargetAuthenticationStrategy | Challenge for Negotiate authentication scheme not available
23:21:24,184 | TargetAuthenticationStrategy | Challenge for Kerberos authentication scheme not available
23:21:24,191 | TargetAuthenticationStrategy | Challenge for Digest authentication scheme not available
23:21:24,191 | TargetAuthenticationStrategy | Challenge for Basic authentication scheme not available
23:21:24,191 | HttpAuthenticator | Selected authentication options: [NTLM]
23:21:24,192 | DefaultManagedHttpClientConnection | http-outgoing-0: set socket timeout to 10000
23:21:24,192 | MainClientExec | Executing request GET / HTTP/1.1
23:21:24,192 | MainClientExec | Target auth state: CHALLENGED
23:21:24,192 | HttpAuthenticator | Generating response to an authentication challenge using ntlm scheme
23:21:24,192 | MainClientExec | Proxy auth state: UNCHALLENGED
23:21:24,192 | headers | http-outgoing-0 >> GET / HTTP/1.1
23:21:24,192 | headers | http-outgoing-0 >> Accept: text/plain, */*
23:21:24,192 | headers | http-outgoing-0 >> Host: ntlm.herokuapp.com
23:21:24,192 | headers | http-outgoing-0 >> Connection: Keep-Alive
23:21:24,192 | headers | http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:21:24,192 | headers | http-outgoing-0 >> Accept-Encoding: gzip,deflate
23:21:24,192 | headers | http-outgoing-0 >> Authorization: NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==
23:21:24,193 | wire | http-outgoing-0 >> "GET / HTTP/1.1[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "Accept: text/plain, */*[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "Host: ntlm.herokuapp.com[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "Authorization: NTLM TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"
23:21:24,193 | wire | http-outgoing-0 >> "[\r][\n]"
23:21:24,367 | wire | http-outgoing-0 << "HTTP/1.1 401 Unauthorized [\r][\n]"
23:21:24,367 | wire | http-outgoing-0 << "Connection: keep-alive[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "Www-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "Date: Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "Content-Length: 0[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "Via: 1.1 vegur[\r][\n]"
23:21:24,368 | wire | http-outgoing-0 << "[\r][\n]"
23:21:24,368 | headers | http-outgoing-0 << HTTP/1.1 401 Unauthorized
23:21:24,368 | headers | http-outgoing-0 << Connection: keep-alive
23:21:24,368 | headers | http-outgoing-0 << Www-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABAAAAAAAAAAAAAAA=
23:21:24,368 | headers | http-outgoing-0 << Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:21:24,368 | headers | http-outgoing-0 << Date: Thu, 16 Nov 2017 22:20:58 GMT
23:21:24,368 | headers | http-outgoing-0 << Content-Length: 0
23:21:24,369 | headers | http-outgoing-0 << Via: 1.1 vegur
23:21:24,369 | MainClientExec | Connection can be kept alive indefinitely
23:21:24,369 | HttpAuthenticator | Authentication required
23:21:24,369 | HttpAuthenticator | ntlm.herokuapp.com:443 requested authentication
23:21:24,369 | HttpAuthenticator | Authorization challenge processed
23:21:24,369 | DefaultManagedHttpClientConnection | http-outgoing-0: set socket timeout to 10000
23:21:24,369 | MainClientExec | Executing request GET / HTTP/1.1
23:21:24,369 | MainClientExec | Target auth state: HANDSHAKE
23:21:24,370 | HttpAuthenticator | NTLM authentication error: NTLM authentication - buffer too small for data item
23:21:24,370 | MainClientExec | Proxy auth state: UNCHALLENGED
23:21:24,371 | headers | http-outgoing-0 >> GET / HTTP/1.1
23:21:24,371 | headers | http-outgoing-0 >> Accept: text/plain, */*
23:21:24,371 | headers | http-outgoing-0 >> Host: ntlm.herokuapp.com
23:21:24,371 | headers | http-outgoing-0 >> Connection: Keep-Alive
23:21:24,371 | headers | http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)
23:21:24,371 | headers | http-outgoing-0 >> Accept-Encoding: gzip,deflate
23:21:24,371 | wire | http-outgoing-0 >> "GET / HTTP/1.1[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "Accept: text/plain, */*[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "Host: ntlm.herokuapp.com[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_66)[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
23:21:24,371 | wire | http-outgoing-0 >> "[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "HTTP/1.1 401 Unauthorized [\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Connection: keep-alive[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Www-Authenticate: NTLM[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Date: Thu, 16 Nov 2017 22:20:58 GMT[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Content-Length: 0[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "Via: 1.1 vegur[\r][\n]"
23:21:24,562 | wire | http-outgoing-0 << "[\r][\n]"
23:21:24,562 | headers | http-outgoing-0 << HTTP/1.1 401 Unauthorized
23:21:24,562 | headers | http-outgoing-0 << Connection: keep-alive
23:21:24,563 | headers | http-outgoing-0 << Www-Authenticate: NTLM
23:21:24,563 | headers | http-outgoing-0 << Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-09-19)
23:21:24,563 | headers | http-outgoing-0 << Date: Thu, 16 Nov 2017 22:20:58 GMT
23:21:24,563 | headers | http-outgoing-0 << Content-Length: 0
23:21:24,563 | headers | http-outgoing-0 << Via: 1.1 vegur
23:21:24,563 | MainClientExec | Connection can be kept alive indefinitely
23:21:24,563 | HttpAuthenticator | Authentication required
23:21:24,563 | HttpAuthenticator | ntlm.herokuapp.com:443 requested authentication
23:21:24,563 | HttpAuthenticator | Authorization challenge processed
23:21:24,563 | HttpAuthenticator | Authentication failed
23:21:24,563 | PoolingHttpClientConnectionManager | Connection [id: 0][route: {s}->https://ntlm.herokuapp.com:443] can be kept alive indefinitely
23:21:24,563 | PoolingHttpClientConnectionManager | Connection released: [id: 0][route: {s}->https://ntlm.herokuapp.com:443][total kept alive: 1; route allocated: 1 of 24; total allocated: 1 of 128]
23:21:24,568 | RestTemplate | GET request for "https://ntlm.herokuapp.com" resulted in 401 (Unauthorized); invoking error handler
23:21:24,571 | NtlmPrototype | Request failed
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE]
at NtlmPrototype.issueGetRequest(NtlmPrototype.java:50) [classes/:?]
at NtlmPrototype.main(NtlmPrototype.java:32) [classes/:?]
Test application
- use attached ZIP or download from https://frightanic.com/misc/msr-ntlm-prototype.zip (26.7KB)
- unzip
- $ mvn package
- $ java -jar target/ntlm-prototype-1.0-SNAPSHOT.jar https://ntlm.herokuapp.com user pass domain