2

I am writing a Java 1.5+ client that needs to fetch data from an IIS-hosted web service. I created a new web service client in Eclipse and used the Java Proxy client type and Apache Axis2 web service runtime when generating the client proxy. The web service itself runs on Windows 2003 and security is set to use only Windows Integrated Authentication. I have found many articles online that show how to connect successfully from a Java client to this IIS service, but everything I have seen seems to require that I put the username and password in my Java client code somewhere.

My Java client will run on a Windows machine that is on the same Active Directory network that the IIS service is on (i.e. the account I log in with each day can access the service). I want my Java client to run in the context of the logged-in user without me needing to put in my login credentials in the code. Here is my current code, which works, yet requires me to put a user name and password in the code:

final NTCredentials nt = new NTCredentials("my_username", "my_password", "", "my_domain");
        final CredentialsProvider myCredentialsProvider = new CredentialsProvider() {
            public Credentials getCredentials(final AuthScheme scheme, final String host, int port, boolean proxy) throws CredentialsNotAvailableException {
                return nt; 
            }
        };

        DefaultHttpParams.getDefaultParams().setParameter("http.authentication.credential-provider", myCredentialsProvider);

But I really don't want to have to put the username and password in the code--I want it to run using the credentials of the logged-in Windows user that is running the Java client.

What code should I use so it will connect with the logged-in user's credentials without needing to specify the user name and password? Is this possible?

Shawn
  • 8,374
  • 5
  • 37
  • 60
  • Shawn - Axis2 does not (I believe) include the HTTP client code directly. It's been a while since I've used Axis, but at that point it required Apache httpclient 3. Can you confirm that you're using Axis2 along with HTTPClient 3? – Edward Thomson May 11 '11 at 17:35
  • I haven't done anything specific to see or use HTTPClient3. What I did was 1) Right click the project and create a new web service client: a. Right click – New – Other – Web Services – Web Service Client b. Click Next c. Point to the web service WSDL d. Set the Meter to the lowest level (Develop client) e. Click the configuration link for the web service runtime – select Apache Axis2 f. Finish 2) Use the proxy classes that were generated to consume the service – Shawn May 19 '11 at 22:02

2 Answers2

2

It's been a few years since I've used Axis - then, Axis depended on Apache commons httpclient 3. From reading some mailing lists, it looks like this is still the case. (If not, the last paragraph should provide some welcome relief.)

Apache commons httpclient 3 has no support for "Integrated Windows Authentication" over HTTP (aka the Negotiate authentication mechanism with Kerberos, aka "SPNEGO".) In fact, it doesn't support NTLMv2, only NTLMv1, which means that you'll not be able to authenticate to many IIS servers that require NTLMv2 without modifications.

Although admittedly a heavy-handed solution, I think that your best bet would be to create a new AuthScheme that calls the Windows SSPI libraries to do authentication. Unfortunately, you'll need to use JNI to do this. Fortunately, AuthScheme is prepared to do a session-based challenge-response authentication pattern (SPNEGO is similar in that regard to NTLM, which is already supported.) Basically, you'll base64 encode the input and output byte buffers to the native InitializeSecurityContext call. It's tedious to write, I admit, but I can confirm that it does let you perform Integrated Windows Authentication to an IIS server.

(Unfortunately, if you need your client to be cross-platform, you'll also need to write the necessary GSSAPI code on Unix.)

Another option is to write a new AuthScheme that uses Java's Kerberos libraries (JAAS). I don't know much about these, to be honest, because it requires separate configuration from your system kerberos libraries. Ie, on Windows you'll have to write some kerberos configuration files that point to your Active Directory server. Which, in my opinion, doesn't really sound all that "integrated". If you're distributing your software to customers and they expect it to "just work", this may not work out for you. Plus, although JAAS has been around for a while, I believe that early versions lacked some authentication mechanisms that were required to talk to Active Directory, so I think you'll require a Java 6 runtime.

Now, if I'm mistaken and you can use Axis2 with the new Apache http-components httpclient 4, then you're in much better shape. httpclient 4 supports SPNEGO using Java's Kerberos libraries, which means that once you don't have to write your own AuthScheme, you just need to configure your C:\WINDOWS\KRB5.INI and you should be able to take advantage of Integrated Windows Authentication. However, to avoid that manual step of having to configure JAAS, you'll still need to call the native SSPI methods.

Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
-2

The functionality that you are describing is not a feature of the OS, but of Internet Explorer. You should probably gain a better understanding of how "Windows Authentication" really works (aka NLTM HTTP Authentication). JCIFS is removing the ServletFilter that provides this functionality to servlet containers. However, their basic description of how NTLM HTTP Authentication works is helpful.

Once you understand the way the authentication works, you might be able to implement some sort of Axis plugin to provide the functionality.

jt.
  • 7,625
  • 4
  • 27
  • 24