jdk http client ntlm

Question

I am not by far an expert in different protocols over http, but I can do this with curl to one of the APIs at my workplace:

curl  --http1.1 --ntlm -u 'user:pass' 'MY_URL'

This works just fine. But notice that I can specify --ntlm.

I am trying to replicate the same thing with http-jdk-client, so something like this:

var client = HttpClient.newBuilder()
            .authenticator(new Authenticator() {
                @Override
                protected PasswordAuthentication getPasswordAuthentication() {
                    return new PasswordAuthentication(<user>, <pass>.toCharArray());
                }
            })
            .sslContext(sslContext()) // an SSL Context that trusts everyone
            .version(HttpClient.Version.HTTP_1_1)
            .build();
    var request = HttpRequest.newBuilder()
            .uri(URI.create(url))
            .build();
    client.sendAsync(request, HttpResponse.BodyHandlers.ofString())
            .thenApply(HttpResponse::body)
            .thenAccept(System.out::println)
            .join();

This fails with a 401.

On the other hand if I use the same curl, but drop the --ntlm, I get the same 401. So it really seems to me I need to somehow replicate that flag in the jdk client.

Someone knows some hints or ideas? Thank you.

@BasilBourque I am still reading myself what that does and how, so... — Eugene, Sep 24 '21 at 21:16
The client has to support NTLM. If you’re not limited to the JDK client, [here is a solution](https://stackoverflow.com/a/67182496/839733) using Apache HTTP client. — Abhijit Sarkar, Sep 24 '21 at 22:20
Also, finding out what NTLM does is a matter of simple Google search. https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm — Abhijit Sarkar, Sep 24 '21 at 22:21
@AbhijitSarkar when I said "reading", it meant I was documenting myself enough. And no, a different client is not really an option. Thx, though. — Eugene, Sep 24 '21 at 23:40
This article outlines how to provide an NTLM authenticator: https://despinapapatheodorou.medium.com/httpclient-with-ntlm-authentication-be6a995b7575 — Allen D. Ball, Sep 25 '21 at 00:59
The article outlines the HTTP communications you'll need to implement to authenticate. The client sends the user name to the server (format DomainName\Username) (Username) The server generates a 16-byte random number, called a Challenge or Nonce, and sends it to the client. (Challenge) The client encrypts this challenge with the hash of the user’s password and returns the result to the server. (Response) The server sends to the DC the Username,Challenge,Response The DC validates if the authentication is successful. You can use the Apache HTTP client source for a reference. — Allen D. Ball, Sep 25 '21 at 01:14
@AllenD.Ball it is by far not as easy after I [read this](http://davenport.sourceforge.net/ntlm.html) — Eugene, Sep 26 '21 at 16:53
I wasn't suggesting it was easy; But, if the Apache HTTP client or some other 3rd-party solution are not options, that's the work you'll need to do. — Allen D. Ball, Sep 26 '21 at 17:14
@AllenD.Ball indeed, I was not trying to be defensive in no manner, btw. Your input was valuable, thank you. I will end up introducing a library for this call and will slowly work into an integration with http jdk client. — Eugene, Sep 26 '21 at 17:17
java.net.http.HttpClient doesn't support NTLM authentication. — daniel, Sep 27 '21 at 13:48
thank you @Daniel, this puts this question to rest, for sure. — Eugene, Sep 27 '21 at 14:16
You could try to implement NTLM on top of HttpClient by handling 401 errors manually, but NTLM also typically implies controlling the underlying TCP connection, which the `java.net.HttpClient` doesn't let you do. Though you *might* make it work - due to the fact that the connections are pooled & reused. That said NTLM over HTTP is not safe. The legacy `HttpURLConnection` still supports NTLM. — daniel, Sep 28 '21 at 13:08

jdk http client ntlm

0 Answers0