Using NTLM authentication in Java applications
Out of the above list, only ntlmv2-auth and Jespa support NTLMv2. Jespa is workable but commercial. ntlmv2-auth I haven't tried but it's based on the code from Liferay, which I've seen working before.
'ntlm-authentication-in-java' is only NTLMv1, which is old, insecure, and works in a dwindling number of environments as people upgrade to newer Windows versions. JCIFS used to have an NTLMv1 HTTP auth filter, but it was removed in later versions, as the way it was implemented amounts to a man-in-the-middle attack on the insecure protocol. (The same appears to be true of 'ntlm-authentication-in-java'.)
The 'spnego' project is Kerberos not NTLM. If you want to replicate full IWA as IIS does it, you'd need to support both NTLMv2 and Kerberos ('NTLM' auth, 'Negotiate' auth, NTLMSSP-in-SPNego auth and NTLM-masquerading-as-Negotiate auth).
NTLM Authentication in a Web Application (java)
You're receiving the Type 3 message, but you're not doing anything with it except printing out the details. You need to validate the client's response at this point and either send a 200 (if authorized) or a 401 (if not.)
However the Type 1 message you delivered is made up of static bytes and - while it will induce a client to send back a response - is mostly meaningless. It's not impossible to implement a complete NTLM authentication stack yourself, but the code you have will simply not work.
You could investigate an NTLM Solution for Java, or (assuming you're on Windows) you could call the necessary authentication functions like AcceptSecurityContext
with JNI.
Http post requests unsing NTLM Authentication (java)
I still have no idea why the doku from https://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html about NTLM Authentication didn’t have worked for me.
I finally solved my problem doing it similar to the documentation for basic authentication as described on http://www.baeldung.com/httpclient-post-http-request
it now looks like this:
...
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY,
new NTCredentials("username", "passwd", hostname, "domain.at"));
HttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(credsProvider).build();
HttpPost post = new HttpPost("http://www.example.com"));
StringEntity input = new StringEntity(bodyAsString, HTTP.UTF_8);
input.setContentType("application/json");
input.setContentEncoding("UTF-8");
post.setEntity(input);
post.setHeader("Accept", "application/json");
post.setHeader("Content-type", "application/json");
HttpResponse response = client.execute(post);
...
NTLM Authentication with Active Directory using Java
NTLM authentication does not use a password, it uses a challenge-response protocol which requires a few server roundtrips.
In the second GET request, you respond with a server 'nonce' which is the authentication challenge received from the domain controller. On the third GET, you get the authentication response which you can validate with the challenge via the domain controller.
In your code, you use a hard-coded challenge (0x19091989), and completely ignore the response.
JCIFS has an implementation that actually finds a domain controller to handle the challenge and response in http://code.google.com/p/jcifs-fork/source/browse/trunk/jcifs/src/jcifs/http/NtlmHttpFilter.java. You could reverse engineer this, or use the filter 'an sich' as described in http://jcifs.samba.org/src/docs/ntlmhttpauth.html. AFAIK this only works on a Windows server, but I could be mistaken.
Integrated Windows Authentication (NTLM) in a Java/WebLogic app?
Have a look at jcifs. Although its mechanism is deprecated (it does not support NTLMv2) its still working in my projects. You might have to use an older version.
They recommend to use jespa, but its not free.
There is also spnego, it has a filter too. And tomcatspnego. But I dont know how easy they are to use.
Waffle looks also interesting.
Here is another answer with some details: Authenticating against Active Directory with Java on Linux
So far I have only used jcifs, so I can not tell you which other option is the best. Apaches HttpClient also has some capabilities, I used it, but not as SSO in a webapp.
EDIT:
I found another project: ntlm-authentication-in-java, but I have not used or tested it yet.
Related Topics
Mockito: Mock Private Field Initialization
How to Provide Pagination Support to a Jtable in Swing
Java: How to Use Urlconnection to Post Request with Authorization
How to Round Time to the Nearest Quarter Hour in Java
Number of Decimal Digits in a Double
How to Clear Permgen Space Error in Tomcat
Use Class Name as Root Key for JSON Jackson Serialization
How to Serialize an Object That Includes Bufferedimages
How to Double Buffer in Java for a Game
What Does Maven Update Project Do in Eclipse
Java 8: How to Work with Exception Throwing Methods in Streams
Why Catch Exceptions in Java, When You Can Catch Throwables
What Are the Date Formats Available in Simpledateformat Class
Java Byte Array Contains Negative Numbers
How to Retrieve a List of Available/Installed Fonts in Android
What Is the Purpose of Mavens Dependency Declarations Classifier Property