1

Hello guys I'm trying to setup a proxy service on WSO2ESB to access a NTLMv2 secured WS. I created a mediator class to achieve this but not luck so far, I keep receiving 401 status

Here is the code.

Proxy Service:

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="test"
       transports="http"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target endpoint="fincasEP">
      <inSequence>
         <class name="com.aig.mediator.NTLMAuthMediator">
            <property name="port" value="remote-port"/>
            <property name="username" value="username-credential"/>
            <property name="host" value="remote-host-ip"/>
            <property name="domain" value="remot-host-domain"/>
            <property name="password" value="**********"/>
         </class>
      </inSequence>
   </target>
   <publishWSDL key="fincas-wsdl"/>
   <description/>
</proxy>

Mediator Class:

public class NTLMAuthMediator extends AbstractMediator {

private String domain;
private String host;
private String port;
private String username;
private String password;

public boolean mediate(MessageContext context) {
    org.apache.axis2.context.MessageContext axis2MsgContext;


    axis2MsgContext = ((Axis2MessageContext) context).getAxis2MessageContext();
     String authString = (String)tmp.get("Authorization");

     HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
     setCredentials(auth);
     List<String> authSchemes = new ArrayList<String>();
     authSchemes.add(HttpTransportProperties.Authenticator.NTLM);
     auth.setAuthSchemes(authSchemes);
     auth.setPreemptiveAuthentication(true); // send authentication info at once
    Options options = new Options();
    options.setProperty(HTTPConstants.CHUNKED, "false");
    options.setProperty(HTTPConstants.REUSE_HTTP_CLIENT, "true");
    options.setProperty(HTTPConstants.AUTHENTICATE, auth);

    axis2MsgContext.setOptions(options);



    return true;
}

private void setCredentials(Authenticator auth) {

    boolean isDomain = this.domain != null ? true : this.domain.trim()
            .length() > 0 ? true : false;
    boolean isUsername = this.username != null ? true : this.username
            .trim().length() > 0 ? true : false;
    boolean isPassword = this.password != null ? true : this.password
            .trim().length() > 0 ? true : false;
    boolean isHost = this.host != null ? true
            : this.host.trim().length() > 0 ? true : false;
    boolean isPort = this.username != null ? true : this.username.trim()
            .length() > 0 ? true : false;

    if (!isDomain) {
        throw new RuntimeException("Domain parameter must NOT be null");
    }
    if (!isUsername) {
        throw new RuntimeException("Username parameter must NOT be null");
    }
    if (!isPassword) {
        throw new RuntimeException("Password parameter must NOT be null");
    }
    if (!isHost) {
        throw new RuntimeException("Host parameter must NOT be null");
    }
    if (!isPort) {
        throw new RuntimeException("Port parameter must NOT be null");
    }

    auth.setUsername(this.username);
    auth.setPassword(this.password);
    auth.setDomain(this.domain);
    auth.setRealm(AuthScope.ANY_REALM);
    auth.setHost(this.host);
    auth.setPort(Integer.valueOf(this.port));
    auth.setPreemptiveAuthentication(true);
}

public String getDomain() {
    return domain;
}

public void setDomain(String domain) {
    this.domain = domain;
}

public String getHost() {
    return host;
}

public void setHost(String host) {
    this.host = host;
}

public String getPort() {
    return port;
}

public void setPort(String port) {
    this.port = port;
}

public String getUsername() {
    return username;
}

public void setUsername(String username) {
    this.username = username;
}

public String getPassword() {
    return password;
}

public void setPassword(String password) {
    this.password = password;
}

}

I´m using wso2esb lastest version.

It´s really frustrating WSO2 does not provide documentation for this case... taking into consideration that NTLM is an old mechanism.

Any suggestion would be really appreciated

BTW the error is: 

401 - Unauthorized: Access is denied due to invalid credentials.
Community
  • 1
  • 1
Rafael Cadenas
  • 35
  • 1
  • 7

1 Answers1

1

The truth is that I finally could solve this issue using ESB Mule nontheless I'm going to explain how I tried to solved it using WSO2ESB and finally MULE...

I was looking at was were going on with the NTLM regarding httpclient and after serveral sites I noticed that httpclient 3.x does not support this type of mechanism and It is because the NTLMSchema it uses.

I found this git repo https://github.com/DovAmir/httpclientAuthHelper this guy did a great job writing a NTLMcuston shema class that works with httpclient 3.x, I clone this repo generate the jar etc etc, then I modified the following class

org.apache.axis2.transport.http.AbstractHTTPSender
...
...
...
protected void setAuthenticationInfo(HttpClient agent, MessageContext msgCtx, HostConfiguration config)
    throws AxisFault, UnknownHostException
  {
String localhost = InetAddress.getLocalHost().getHostName().toUpperCase();
...
...
if (domain != null) {

    creds = new NTCredentials(username, password, localhost, domain);
} else {
    creds = new UsernamePasswordCredentials(username, password);
}
    tmpHttpState.setCredentials(new AuthScope(host, port, realm), creds);
}
...

Then wrote a test case to make sure that the axis2 ServerClient actually works.. and it did. BUT... I think I don´t really understand the mechanism of PassThroughHttpSender. Aparently there is something else to do, to make it work, I don't really have the time for it and then I started thinking on something else and then I realized that we also have an ESB Mule 3.4.0 CE instance running...

I just had to modified the class 

HttpConnector
{
...
...
//    Properties added to enable NTLMv2 Auth

private String ntlmUser;
private String ntlmPassword;
private String ntlmDomain;
private String ntlmHost;
private String ntlmPort;
private boolean ntlmAuthentication;

//getters and setters

    protected HttpClient doClientConnect() throws Exception
{
    HttpState state = new HttpState();
    HttpClient client = new HttpClient();
    String localhost = InetAddress.getLocalHost().getHostName();
    //TODO setting domain as well.
    Credentials credentials;

    if (getProxyUsername() != null || getNtlmUser() != null)
    {
        if (isProxyNtlmAuthentication())
        {
            credentials = new NTCredentials(getProxyUsername(), getProxyPassword(), localhost, "");
            AuthScope authscope = new AuthScope(getProxyHostname(), getProxyPort());
            state.setProxyCredentials(authscope, credentials);
        }
        else if(isNtlmAuthentication()){
            AuthPolicy.registerAuthScheme(AuthPolicy.NTLM, CustomNTLM2Scheme.class);
            AuthScope authscope = new AuthScope(getNtlmHost(), Integer.valueOf(getNtlmPort()));
            credentials = new NTCredentials(getNtlmUser(), getNtlmPassword(), localhost, getNtlmDomain());
            state.setCredentials(authscope, credentials);
        }
        else
        {
            credentials = new UsernamePasswordCredentials(getProxyUsername(), getProxyPassword());
            AuthScope authscope = new AuthScope(getProxyHostname(), getProxyPort());
            state.setProxyCredentials(authscope, credentials);
        }

    }
    client.setState(state);
    client.setHttpConnectionManager(getClientConnectionManager());
    return client;
}

The flow for this is:

<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:http="http://www.mulesoft.org/schema/mule/http"          xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans" version="CE-3.4.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern"
xsi:schemaLocation="http://www.springframework.org/schema/beans                                  http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core      http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http      http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/pattern     http://www.mulesoft.org/schema/mule/pattern/current/mule-pattern.xsd">


<http:connector name="ntlmconn"  
     doc:name="HTTP-HTTPS">
    <spring:property name="ntlmAuthentication" value="${ntlm.auth}"/>
    <spring:property name="ntlmUser" value="${ntlm.username}"/>
    <spring:property name="ntlmPassword" value="${ntlm.password}"/>
    <spring:property name="ntlmHost" value="${ntlm.host}"/>
    <spring:property name="ntlmPort" value="${ntlm.port}"/>
    <spring:property name="ntlmDomain" value="${ntlm.domain}"/>
</http:connector>


<pattern:web-service-proxy name="fincas-service"
    wsdlFile="${fincas.wsdl}">
    <http:inbound-endpoint address="http://localhost:8080/fincas" />
    <http:outbound-endpoint address="${endpoint}" connector-ref="ntlmconn"
         exchange-pattern="request-response"></http:outbound-endpoint>
</pattern:web-service-proxy>

Finally with this patch I could make it work I have my WS deployed on the ESB and since the service is up and running I can spend more time trying to find a solution for WSO2ESB.

I hope It works for you as well.

Rafael Cadenas
  • 35
  • 1
  • 7