在Apache HttpClient 4.3.6上禁用NTLM [英] Disable NTLM on Apache HttpClient 4.3.6

问题描述

我正在尝试将HttpClient创建为支持NTLM和Basic身份验证的服务。在我的情况下，NTLM将无法工作，因为HttpClient机器处于与服务不同的域下（感谢公司决定非常缓慢地迁移正在使用的域的名称......）。但是看起来HttpClient仍然会尝试使用它。

I am trying to make a HttpClient to a service that support NTLM and Basic auth. In my case NTLM will not work, because the machine HttpClient is on is under a different domain to the service (thanks a corporate decision to very slowly migrate the name of the domain being used...). However it seems HttpClient will still try to use it anyway.

CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
    new UsernamePasswordCredentials(
            username,  password));

HttpClient client = HttpClientBuilder.create()
        .setDefaultCredentialsProvider(credentialsProvider).build();
HttpGet method = new HttpGet(uri);
HttpResponse response = client.execute(method);

严重：[WARN] HttpAuthenticator - NEGOTIATE身份验证错误：无有效凭据提供（机制级别：未提供有效凭据（机制级别：无法找到任何Kerberos tgt））
严重：[WARN] HttpAuthenticator - NTLM身份验证错误：凭据不能用于NTLM身份验证：org.apache.http。 auth.UsernamePasswordCredentials

Severe: [WARN] HttpAuthenticator - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) Severe: [WARN] HttpAuthenticator - NTLM authentication error: Credentials cannot be used for NTLM authentication: org.apache.http.auth.UsernamePasswordCredentials

我只是希望它发送HTTP 身份验证：基本... 标题。我已经在任何Java HTTP框架之外测试了这个（例如，使用带有手动创建的HTTP请求的原始ssl套接字），所以它似乎是一些Java / Apache HTTP问题，它试图做我没有要求的事情而且真的不喜欢我希望它甚至尝试做...

I just want it to send the HTTP Authentication: Basic ... header. I have tested this outside any Java HTTP frameworks (e.g. using a raw ssl socket with a manually created HTTP request), so it seems to be some Java/Apache HTTP issue with it trying to do things I did not ask for and really don't want it to even try to do...

推荐答案

然而看来HttpClient仍然会尝试无论如何都要使用它。

However it seems HttpClient will still try to use it anyway.

这是因为表现良好的客户应该选择一种比本身不安全的BASIC auth更安全的方案。

That is because well behaved clients should choose a more secure scheme over an inherently insecure BASIC auth.

这是永久禁用NTLM（和其他非标准方案）的方式

This is how one can disable NTLM (and other non-standard schemes) permanently

Registry<AuthSchemeProvider> r = RegistryBuilder.<AuthSchemeProvider>create()
        .register(AuthSchemes.BASIC, new BasicSchemeFactory())
        .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
        .build();
CloseableHttpClient client = HttpClients.custom()
        .setDefaultAuthSchemeRegistry(r)
        .build();

这是强制HttpClient基于每个请求强制选择基于NTLM的BASIC的方法

This is how one can force HttpClient to choose BASIC over NTLM on a per request basis

RequestConfig config = RequestConfig.custom()
        .setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.BASIC, AuthSchemes.NTLM))
        .build();
HttpGet get = new HttpGet("/");
get.setConfig(config);

这篇关于在Apache HttpClient 4.3.6上禁用NTLM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！