Using Ntlm Authentication in Java Applications

Using NTLM authentication in Java applications

Out of the above list, only ntlmv2-auth and Jespa support NTLMv2. Jespa is workable but commercial. ntlmv2-auth I haven't tried but it's based on the code from Liferay, which I've seen working before.

'ntlm-authentication-in-java' is only NTLMv1, which is old, insecure, and works in a dwindling number of environments as people upgrade to newer Windows versions. JCIFS used to have an NTLMv1 HTTP auth filter, but it was removed in later versions, as the way it was implemented amounts to a man-in-the-middle attack on the insecure protocol. (The same appears to be true of 'ntlm-authentication-in-java'.)

The 'spnego' project is Kerberos not NTLM. If you want to replicate full IWA as IIS does it, you'd need to support both NTLMv2 and Kerberos ('NTLM' auth, 'Negotiate' auth, NTLMSSP-in-SPNego auth and NTLM-masquerading-as-Negotiate auth).

NTLM Authentication in a Web Application (java)

You're receiving the Type 3 message, but you're not doing anything with it except printing out the details. You need to validate the client's response at this point and either send a 200 (if authorized) or a 401 (if not.)

However the Type 1 message you delivered is made up of static bytes and - while it will induce a client to send back a response - is mostly meaningless. It's not impossible to implement a complete NTLM authentication stack yourself, but the code you have will simply not work.

You could investigate an NTLM Solution for Java, or (assuming you're on Windows) you could call the necessary authentication functions like AcceptSecurityContext with JNI.

Http post requests unsing NTLM Authentication (java)

I still have no idea why the doku from https://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html about NTLM Authentication didn’t have worked for me.
I finally solved my problem doing it similar to the documentation for basic authentication as described on http://www.baeldung.com/httpclient-post-http-request

it now looks like this:

...
CredentialsProvider credsProvider = new BasicCredentialsProvider();
        credsProvider.setCredentials(AuthScope.ANY,
                new NTCredentials("username", "passwd", hostname, "domain.at"));

HttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(credsProvider).build();

HttpPost post = new HttpPost("http://www.example.com"));

StringEntity input = new StringEntity(bodyAsString, HTTP.UTF_8);
input.setContentType("application/json");
input.setContentEncoding("UTF-8");
post.setEntity(input);

post.setHeader("Accept", "application/json");
post.setHeader("Content-type", "application/json");

HttpResponse response = client.execute(post);
...

NTLM Authentication with Active Directory using Java

NTLM authentication does not use a password, it uses a challenge-response protocol which requires a few server roundtrips.

In the second GET request, you respond with a server 'nonce' which is the authentication challenge received from the domain controller. On the third GET, you get the authentication response which you can validate with the challenge via the domain controller.

In your code, you use a hard-coded challenge (0x19091989), and completely ignore the response.

JCIFS has an implementation that actually finds a domain controller to handle the challenge and response in http://code.google.com/p/jcifs-fork/source/browse/trunk/jcifs/src/jcifs/http/NtlmHttpFilter.java. You could reverse engineer this, or use the filter 'an sich' as described in http://jcifs.samba.org/src/docs/ntlmhttpauth.html. AFAIK this only works on a Windows server, but I could be mistaken.

Integrated Windows Authentication (NTLM) in a Java/WebLogic app?

Have a look at jcifs. Although its mechanism is deprecated (it does not support NTLMv2) its still working in my projects. You might have to use an older version.
They recommend to use jespa, but its not free.

There is also spnego, it has a filter too. And tomcatspnego. But I dont know how easy they are to use.

Waffle looks also interesting.

Here is another answer with some details: Authenticating against Active Directory with Java on Linux

So far I have only used jcifs, so I can not tell you which other option is the best. Apaches HttpClient also has some capabilities, I used it, but not as SSO in a webapp.

EDIT:

I found another project: ntlm-authentication-in-java, but I have not used or tested it yet.


Related Topics

Make Immutable Java Object

Mockito: Mock Private Field Initialization

How to Provide Pagination Support to a Jtable in Swing

Java: How to Use Urlconnection to Post Request with Authorization

How to Round Time to the Nearest Quarter Hour in Java

Number of Decimal Digits in a Double

How to Clear Permgen Space Error in Tomcat

Use Class Name as Root Key for JSON Jackson Serialization

How to Serialize an Object That Includes Bufferedimages

How to Double Buffer in Java for a Game

What Does Maven Update Project Do in Eclipse

Rounding Errors

Java 8: How to Work with Exception Throwing Methods in Streams

Why Catch Exceptions in Java, When You Can Catch Throwables

What Are the Date Formats Available in Simpledateformat Class

Java Byte Array Contains Negative Numbers

How to Retrieve a List of Available/Installed Fonts in Android

What Is the Purpose of Mavens Dependency Declarations Classifier Property


Leave a reply



Submit