NTLM Authentication for Java http clients


I was working to provide NTLM authentication to a RSS aggregator plugin http://confluence.atlassian.com/display/CONFEXT/RSS+aggregator+macro+plugin , in our implementation the rssaggregator needed to access rss feed from an IIS installed application within an AD intergrated setup, so our http request needed to go through NTLM authentication.

What I found out during this exercise is that if one is on the same AD domain as the server hosting the secure contents then JDK 1.5 and 1.6 does a transparent authentication at the backend, automatically transferring the login details from the http client to the server , however if the request is being made from a client outside the domain then the login details have to be provided using the username and password for the client accessing the protected resource, for that I found the Jave Authenticator class to be the best option, since you do not have to alter your existing code and just call the Authenticator before the http request and populate the authentication credentials in it. Worked really well for me.

References
Two exhaustive definitions of how ntlm works, and the interactions

http://www.innovation.ch/personal/ronald/ntlm.html
http://davenport.sourceforge.net/ntlm.html
Useful link to valid Java Implementation
http://oaklandsoftware.com/papers/ntlm.html

Advertisements

3 thoughts on “NTLM Authentication for Java http clients

  1. Good info, thank you.

    I’m using a non-Windows system with Java 1.4.2 and calling an IIS URL that has NTLM authentication, but I still get 401 everytime, like IIS doesn’t call my Authenticator.

    Any ideas? Thanks,

    Henry.

  2. I am afraid the details that I have read clearly state that builtin NTLM Authenticator for Java only works on a windows machine, since there is no idea of NTLM authentication on non-windows machine.

    I would suggest to not depend on built in Authenticator class for Java to do the authentication transparently but use the other Options listed in this post

    http://oaklandsoftware.com/papers/ntlm.html

    I would suggest to check out Jakarta http client at

    http://hc.apache.org/httpclient-3.x/ it has built in NTLM authentication supported.

  3. The problem with recommending the Jakarta http client is that it only support the original NTLM protocol, not NTLMv2. Since NTLM has significant security weaknesses, security analysis tools report NTLMv1 support on web servers as a security vulnerability. More recent web servers tend to be configured to support NTLMv2 or Kerberos only. However it seems that Java 1.5.08 and newer versions of Java support NTLMv2 authentication on non-Windows platforms.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s