在 Apache HttpClient 4.3.6 上禁用 NTLM [英] Disable NTLM on Apache HttpClient 4.3.6
问题描述
我正在尝试为支持 NTLM 和基本身份验证的服务创建一个 HttpClient.在我的情况下,NTLM 将不起作用,因为 HttpClient 所在的机器与服务位于不同的域下(感谢公司决定非常缓慢地迁移正在使用的域的名称......).然而,HttpClient 似乎仍然会尝试使用它.
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();credentialsProvider.setCredentials(AuthScope.ANY,新用户名密码凭据(用户名密码));HttpClient 客户端 = HttpClientBuilder.create().setDefaultCredentialsProvider(credentialsProvider).build();HttpGet 方法 = new HttpGet(uri);HttpResponse response = client.execute(method);<块引用>
严重:[WARN] HttpAuthenticator - NEGOTIATE 身份验证错误:未提供有效凭据(机制级别:未提供有效凭据(机制级别:找不到任何 Kerberos tgt))严重:[警告] HttpAuthenticator - NTLM 身份验证错误:凭据不能用于 NTLM 身份验证:org.apache.http.auth.UsernamePasswordCredentials
我只希望它发送 HTTP Authentication: Basic ... 标头.我已经在任何 Java HTTP 框架之外对此进行了测试(例如,使用带有手动创建的 HTTP 请求的原始 ssl 套接字),所以它似乎是一些 Java/Apache HTTP 问题,它试图做我没有要求的事情并且真的不这样做'不希望它甚至尝试做...
不过看起来 HttpClient 仍然会尝试使用它.
这是因为行为良好的客户端应该选择更安全的方案,而不是本质上不安全的 BASIC 身份验证.
这是永久禁用 NTLM(和其他非标准方案)的方法
Registryr = RegistryBuilder.create().register(AuthSchemes.BASIC, new BasicSchemeFactory()).register(AuthSchemes.DIGEST, new DigestSchemeFactory()).建造();CloseableHttpClient 客户端 = HttpClients.custom().setDefaultAuthSchemeRegistry(r).建造(); 这是如何强制 HttpClient 在每个请求的基础上选择 BASIC 而不是 NTLM
RequestConfig config = RequestConfig.custom().setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.BASIC, AuthSchemes.NTLM)).建造();HttpGet get = new HttpGet("/");get.setConfig(config);I am trying to make a HttpClient to a service that support NTLM and Basic auth. In my case NTLM will not work, because the machine HttpClient is on is under a different domain to the service (thanks a corporate decision to very slowly migrate the name of the domain being used...). However it seems HttpClient will still try to use it anyway.
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials(
username, password));
HttpClient client = HttpClientBuilder.create()
.setDefaultCredentialsProvider(credentialsProvider).build();
HttpGet method = new HttpGet(uri);
HttpResponse response = client.execute(method);
Severe: [WARN] HttpAuthenticator - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) Severe: [WARN] HttpAuthenticator - NTLM authentication error: Credentials cannot be used for NTLM authentication: org.apache.http.auth.UsernamePasswordCredentials
I just want it to send the HTTP Authentication: Basic ... header. I have tested this outside any Java HTTP frameworks (e.g. using a raw ssl socket with a manually created HTTP request), so it seems to be some Java/Apache HTTP issue with it trying to do things I did not ask for and really don't want it to even try to do...
However it seems HttpClient will still try to use it anyway.
That is because well behaved clients should choose a more secure scheme over an inherently insecure BASIC auth.
This is how one can disable NTLM (and other non-standard schemes) permanently
Registry<AuthSchemeProvider> r = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.BASIC, new BasicSchemeFactory())
.register(AuthSchemes.DIGEST, new DigestSchemeFactory())
.build();
CloseableHttpClient client = HttpClients.custom()
.setDefaultAuthSchemeRegistry(r)
.build();
This is how one can force HttpClient to choose BASIC over NTLM on a per request basis
RequestConfig config = RequestConfig.custom()
.setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.BASIC, AuthSchemes.NTLM))
.build();
HttpGet get = new HttpGet("/");
get.setConfig(config);
这篇关于在 Apache HttpClient 4.3.6 上禁用 NTLM的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
