如何在调用任何 url 时提供 ntlm 身份验证? [英] How to provide ntlm authentication while calling any url?

问题描述

我有一个使用 ntlm(Windows 集成身份验证)进行身份验证的托管 url.我在 Windows 上使用 java 1.8

I have a hosted url which authenticates using ntlm (windows Integrated authentication). I am on windows and using java 1.8

URL url = new URL("someUrl");
HttpURLConnection con = (HttpURLConnection) url.openConnection();
// con.setInstanceFollowRedirects(false);
con.setRequestProperty("Content-Type", "application/json");
con.setRequestMethod("GET");
 int responseCode = con.getResponseCode();
            if (responseCode == HttpURLConnection.HTTP_OK) {
            // read response
            ...
            in.close();
            }else{
            System.out.println("Error while fetching reponse, recieved response code " + responseCode);
            }

以上代码一直工作到java 1.8.0_181随着后续更新开始失败，我已经用 191 和 201 进行了测试.如果向后移植到 181，代码仍然有效.我也尝试使用 Authenticator，但它没有被调用(不知道为什么)使用 java 的内部日志记录，我可以在日志中看到以下消息NegotiateAuthentication:java.io.IOException:协商支持未启动"我得到 401

The above code used to work till java 1.8.0_181 With subsequent updates it started failing, I have tested with 191 and 201. The code still works if backported to 181. I also tried using Authenticator, but it is not invoked (not sure why) With java's internal logging I could see following message in the logs "NegotiateAuthentication: java.io.IOException: Negotiate support not initiated" And I get 401

我期待任何机制来帮助 java 自行协商进行身份验证.

I am expecting any mechanism to help java negotiate on its own for authentication.

推荐答案

在 Java 发行说明中，没有任何地方提到它，但 NTLM 身份验证实现发生了变化.我已经调试了 java 代码并到达以下在 java.home/lib 中有文件 net.properties 现在提到以下

In Java release notes it is not mentioned anywhere but there is a change in NTLM authentication implementation. I have debugged the java code and arrived at following In java.home/lib there is file net.properties which now mentions following

#
# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
# can be used for the NTLM scheme, where the security credentials based on the
# currently logged in user's name and password can be obtained directly from the
# operating system, without prompting the user. This property has three possible
# values which regulate the behavior as shown below. Other unrecognized values
# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
# strongly secure authentication scheme and care should be taken before enabling
# this mechanism.
#
# Transparent authentication never used.
#jdk.http.ntlm.transparentAuth=disabled
#
# Enabled for all hosts.
#jdk.http.ntlm.transparentAuth=allHosts
#
# Enabled for hosts that are trusted in Windows Internet settings
#jdk.http.ntlm.transparentAuth=trustedHosts
#
jdk.http.ntlm.transparentAuth=disabled

直到 jdk1.8.0_181 有一个默认的 NTLM 身份验证回调，这在 NTLM 身份验证过程中很有用.

Till jdk1.8.0_181 there was a default NTLM authentication callback which was useful in NTLM authentication process.

要在 jdk1.8.0_181 以后运行上述代码，您只需要为您的 java 进程设置 jdk.http.ntlm.transparentAuth.

To run the above code with jdk1.8.0_181 onward, all you need is to set jdk.http.ntlm.transparentAuth for your java process.

或者，您可以设置 JVM 参数，例如 -Djdk.http.ntlm.transparentAuth=allHosts，或设置系统属性，例如 System.setProperty("jdk.http.ntlm.transparentAuth"、allHosts").

Alternatively, you may set a JVM argument, e.g., -Djdk.http.ntlm.transparentAuth=allHosts, or set a system property, e.g., System.setProperty("jdk.http.ntlm.transparentAuth", "allHosts").

如果您选择 trustedHosts，请确保该 URL 已添加到 Windows 受信任站点中.

If you choose trustedHosts, make sure the URL is added in windows trusted site.

您可以在静态初始化期间在这里看到这个新的系统属性:sun.net.www.protocol.http.ntlm.NTLMAuthentication.

You can see this new system property used here during static init: sun.net.www.protocol.http.ntlm.NTLMAuthentication.

此外，您可以看到这里使用的设置:public static boolean NTLMAuthentication.isTrustedSite(URL)

Further, you can see the setting is used here: public static boolean NTLMAuthentication.isTrustedSite(URL)

最后，要以编程方式控制 URL 是否可信，您可以安装回调.参见:sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback

Finally, to programmatically control if a URL is trusted, you may install a callback. See: sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback

这篇关于如何在调用任何 url 时提供 ntlm 身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！