Apache Http Client 4.5 Authentication Exception when Integrating to ServiceNow - apache

Am trying to connect to my service-now instance using Apache Client 4.5 via a proxy server. Unfortunately the connection is failing with the below exception.
HTTP/1.1 401 Unauthorized
{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}
I can understand that this is because of authentication exception, but i did seem to have provide the credential as shown below.
Code Snippet :
public void getRequestWithProxy() throws ClientProtocolException, IOException
{
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope("proxy.xxxx.com", 0000),
new UsernamePasswordCredentials("proxyuser", "proxypassword"));
credsProvider.setCredentials(
new AuthScope("instance.service-now.com", 443),
new UsernamePasswordCredentials("username", "password"));
CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider).build();
try {
HttpHost target = new HttpHost("instance.service-now.com", 443, "https");
HttpHost proxy = new HttpHost("proxy.xxxx.com", 0000);
RequestConfig config = RequestConfig.custom()
.setProxy(proxy)
.build();
HttpGet httpget = new HttpGet("/api/now/table/incident");
httpget.setConfig(config);
System.out.println("Executing request " + httpget.getRequestLine() + " to " + target + " via " + proxy);
CloseableHttpResponse response = httpclient.execute(target, httpget);
try {
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
System.out.println(EntityUtils.toString(response.getEntity()));
} finally {
response.close();
}
} finally {
httpclient.close();
}
}
I assume that i have access to the URL am accessing, because the same URL "https://instance.service-now.com/api/now/table/incident" when tried in browser works fine using SSO (Single Sing On).
Please help me with what am missing.
Thanks in advance for your help in this.
Thank you.

You stated it was a URL. new AuthScope should be a hostname and not a URL.

Related

Msgraph Calls only via IIS timing out

I wrote an API to call MSGraph to retrieve user informations over https://graph.microsoft.com/v1.0/users?$count=true&$search= and deliver it to my .Net5.0 webapp.
so far everything was working good til I tried to publish the API and run it on my IIS.
From my IIS it only runs into a timeout: "detail": "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (graph.microsoft.com:443)",
I tried to call MSGraph from the same server which works without any problems over postman also in my development environment.
Authentication for my API is done via the azure portal app-registration with client id and client secret.
like this:
[HttpGet]
[Route("TokenRequest")]
public string MSGraphTokenRequest()
{
var client = new RestClient("https://login.microsoftonline.com/350a94cb-4159-4140-b29d-1d98051105d5/oauth2/v2.0/token");
var request = new RestRequest(Method.POST);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded", "grant_type="+grant_type+"&client_id="+client_id+"&client_secret="+client_secret+"&scope="+scope, ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
return JsonConvert.DeserializeObject<Token>(response.Content).access_token;
}
and requesting the information:
[HttpGet]
[Route("GetUserTest")]
public IActionResult GetUserTest(string userPrincipalName)
{
var client = new RestClient("https://graph.microsoft.com/v1.0/users?$count=true&$search=\"userPrincipalName:" + userPrincipalName + "\"");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer " + MSGraphTokenRequest());
request.AddHeader("ConsistencyLevel", "eventual");
IRestResponse response = client.ExecuteAsync(request).Result;
if (((int)response.StatusCode) != 200)
{
return Problem(response.ErrorMessage);
}
else
{
return Json(response.Content);
}
}
Maybe somebody could guide me in the right direction I have no further ideas how to solve this.
Thanks in advance.
So my guess is that the IIS-Server is sending it requests with higher port numbers and these requests were intercepted by our company firewall which of course I asked my dev-ops beforehand, if with this could be a firewall related problem...
So the solution to the problem was to add a firewall rule for graph.microsoft.com.

The request was aborted: Could not create SSL/TLS secure channel. (RestSharp, SSL Client Certificates)

I have following code which is calling an API using basic authentication and SSL client certificate but its throwing exception and giving me following error.
"The request was aborted: Could not create SSL/TLS secure channel."
I tried to find a solution on Google but failed to find any solution. Can anyone help me out on this. Thanks.
// Variables
string basicAuthenticationUserName = "username";
string basicAuthenticationPassword = "password";
string clientCertificateFilePath = "Path-To-Certificate-File";
string clientCertificatePassword = "certificate-password";
string url = "https://" + basicAuthenticationUserName + ":" + basicAuthenticationPassword + "#apiserverurl/apimethod";
// Creating RestSharp Request Object
var request = new RestRequest(Method.POST)
{
RequestFormat = DataFormat.Json,
OnBeforeDeserialization = resp =>
{
resp.ContentType = "application/json";
}
};
// Adding Headers
request.AddHeader("Content-Length", "0");
request.AddHeader("Accept", "application/x-null-message");
// Importing Certificates
var certificates = new X509Certificate();
certificates.Import(clientCertificateFilePath, clientCertificatePassword, X509KeyStorageFlags.PersistKeySet);
// Creating RestSharp Client Object
var client = new RestClient
{
BaseUrl = new Uri(url),
ClientCertificates = new X509CertificateCollection { certificates },
Authenticator = new HttpBasicAuthenticator(managingLou, basicAuthenticationPassword)
};
// Executing Request
var response = client.Execute<T>(request);
I have faced the similar issue. Let me mention the steps here for your help.
After the installation of windows service, I went through the following steps to fix the issue:
Go To Start > Run and type Services.msc
Select your service > Right click and choose Properties
Select the 2nd tab "Log On"
Select the radio button "This account"
Enter the username and password of currently log in user. (Make sure Its the same user who has installed the service)
Apply the changes
Start the service

Apache CXF soap client using jCIFS SSL + NTLM authentication JDK 5

I am trying to authenticate against a SOAP webservice using NTLM authentication as mentioned at Apache CXF with stack as following -
jcifs-1.3.17.jar
cxf-2.7.11
NTLM + SSL
JDK 5 (I possibly cannot change this)
Every time I try and connect it refuses with 401 unauthorized access because it uses my underlying NT credentials which are not authorised instead of valid ones that I configured in code. (I had to modify jCIFS as it doesnt support SSL + NTLM to return HTTPs version of NtlmHttpURLConnection). Similar result when used HTTP Async mechanism.
String domainController = "xxx.xxx.xxx";
UniAddress dc = UniAddress.getByName(domainController, true);
jcifs.Config.setProperty("http.auth.ntlm.domain", "xxx.xxx.xxx");
jcifs.Config.setProperty("jcifs.smb.client.domain", "domain");
jcifs.Config.setProperty("jcifs.netbios.wins", dc.getHostAddress());
jcifs.Config.setProperty("jcifs.smb.client.soTimeout", "300000"); // 5 minutes
jcifs.Config.setProperty("jcifs.netbios.cachePolicy", "1200"); // 20 minutes
jcifs.Config.setProperty("jcifs.smb.client.username", USER);
jcifs.Config.setProperty("jcifs.smb.client.password", PWD);
//Register the jcifs URL handler to enable NTLM
jcifs.Config.registerSmbURLHandler();
HelloWorld src = new HelloWorld();
ClientProxyFactoryBean factory = new ClientProxyFactoryBean(new JaxWsClientFactoryBean());
factory.setServiceClass( IHelloWorld.class );
factory.setAddress(SERVICE_URL);
factory.setUsername(USER);
factory.setPassword(PWD);
IHelloWorld service = (IHelloWorld ) factory.create();
Client client = ClientProxy.getClient(service);
HTTPConduit http = (HTTPConduit) client.getConduit();
System.out.println(http.getClass().getName());
//org.apache.cxf.transport.http.URLConnectionHTTPConduit
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
http.setClient(httpClientPolicy);
http.getAuthorization().setAuthorizationType("NTLM");
http.getAuthorization().setUserName(USER);
http.getAuthorization().setPassword(PWD);
http.getClient().setAllowChunking( false );
http.getClient().setAutoRedirect( true );
TLSClientParameters tcp = new TLSClientParameters();
tcp.setTrustManagers( new TrustManager[]{ new TrustAllX509TrustManager() } );
http.setTlsClientParameters( tcp );
System.out.println("Invoking service...");
String msg= "echo";
try {
String res = service.readMessage(msg);
System.out.println("readMessage.result=" + res);
} catch (Exception e) {
e.printStackTrace();
}
Upong running this code I get following exception trace
: domain\ is unauthorized user at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown
Source) at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown
Source) at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail(ClientFaultConverter.java:175)
at
org.apache.cxf.interceptor.ClientFaultConverter.handleMessage(ClientFaultConverter.java:78)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:845)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1624)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:632)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479) at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382) at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335) at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.frontend.ClientProxy.invoke(ClientProxy.java:81)
at com.sun.proxy.$Proxy44.readMessage(Unknown Source)
CXF 2.7.x does not support JDK 5. From the CXF FAQ:
Can CXF run with JDK 1.5?
Yes for CXF 2.6.x and older. Keep in mind though that Java 2 SE 5.0
with JDK 1.5 has reached end of life (EOL). CXF 2.7.x no longer
supports Java 5. In order to upgrade to 2.7.x, you must be using Java
6 (or newer).
After hours of struggle trying to juggle between JDK 5 stack and other SOAP framework like Axis2 and CXF, I finally manged to do with a raw SOAP client that can pretty much do the job I neeed. Following is code that helped get it done even with custom NT logins than underlying ones.
public final class JCIFSEngine implements NTLMEngine {
private static final int TYPE_1_FLAGS = NtlmFlags.NTLMSSP_NEGOTIATE_56
| NtlmFlags.NTLMSSP_NEGOTIATE_128
| NtlmFlags.NTLMSSP_NEGOTIATE_NTLM2
| NtlmFlags.NTLMSSP_NEGOTIATE_ALWAYS_SIGN
| NtlmFlags.NTLMSSP_REQUEST_TARGET;
public String generateType1Msg(final String domain, final String workstation)
throws NTLMEngineException {
final Type1Message type1Message = new Type1Message(TYPE_1_FLAGS,
domain, workstation);
return Base64.encode(type1Message.toByteArray());
}
public String generateType3Msg(final String username,
final String password, final String domain,
final String workstation, final String challenge)
throws NTLMEngineException {
Type2Message type2Message;
try {
type2Message = new Type2Message(Base64.decode(challenge));
} catch (final IOException exception) {
throw new NTLMEngineException("Invalid NTLM type 2 message",
exception);
}
final int type2Flags = type2Message.getFlags();
final int type3Flags = type2Flags
& (0xffffffff ^ (NtlmFlags.NTLMSSP_TARGET_TYPE_DOMAIN | NtlmFlags.NTLMSSP_TARGET_TYPE_SERVER));
final Type3Message type3Message = new Type3Message(type2Message,
password, domain, username, workstation, type3Flags);
return Base64.encode(type3Message.toByteArray());
}
}
public class JCIFSNTLMSchemeFactory implements AuthSchemeProvider {
public AuthScheme create(final HttpContext context) {
return new NTLMScheme(new JCIFSEngine());
}
}
The use HttpClient object to register custom NTLM Engine and Auth scheme registry -
protected Registry<AuthSchemeProvider> getAuthRegistry() {
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
.<AuthSchemeProvider> create()
.register(AuthSchemes.NTLM, new JCIFSNTLMSchemeFactory())
.build();
return authSchemeRegistry;
}
protected CredentialsProvider getCredentialsProvider(String user,
String pass, String domain) {
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST,
AuthScope.ANY_PORT, AuthScope.ANY_REALM, AuthSchemes.NTLM),
new NTCredentials(user, pass, null, domain));
return credsProvider;
}
HttpClientBuilder httpClientBuilder = HttpClients.custom();
httpClientBuilder.setDefaultAuthSchemeRegistry(getAuthRegistry());
httpClientBuilder
.setDefaultCredentialsProvider(getCredentialsProvider(
config.getUserName(), config.getPassword(),
config.getDomain()));
if (config.isProxy()) {
HttpHost proxy = new HttpHost(config.getProxyHost(),
config.getPort());
httpClientBuilder.setProxy(proxy);
}
httpClientBuilder.build();
Hope this helps someone with similar issue. Cheers

HttpClient 4.2.3 using both SSL encryption and NTLM authentication fails

I am trying to use a REST call to Sharepoint 2010 via HTTPClient 4.2.3 from a Liferay 6.1 portlet.
I have imported the cert into my local MAC's JVM cacerts and am trying to load the cacerts as the keystore.
My code is:
String opsCalendarURL1 = "https://hostname/sites/team-sites/operations/_vti_bin/owssvr.dll?";
String opsCalendarURL2 = "Cmd=Display&List={6E460908-D470-4F8A-AF76-CC279E25E0B1}&XMLDATA=TRUE";
String opsCalenderURLEncoded = opsCalendarURL1 + URLEncoder.encode( opsCalendarURL2 , "UTF8" );
System.out.println(opsCalenderURLEncoded);
DefaultHttpClient httpclient = new DefaultHttpClient();
try {
// SSL
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts"));
try {
trustStore.load(instream, "changeit".toCharArray());
} finally {
try { instream.close(); } catch (Exception ignore) {}
}
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
Scheme sch = new Scheme("https", 443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
System.out.println("----------------------------------------");
HttpHost targetHost = new HttpHost("hostname", 443, "https");
httpclient.getCredentialsProvider().setCredentials(
AuthScope.ANY,
new NTCredentials("username", "password","machine","domain"));
HttpGet httpget = new HttpGet(opsCalenderURLEncoded);
System.out.println("executing request: " + httpget.getRequestLine());
System.out.println("to target: " + targetHost);
HttpResponse response2 = httpclient.execute(targetHost, httpget);
HttpEntity entity = response2.getEntity();
System.out.println("----------------------------------------");
System.out.println(response2.getStatusLine());
System.out.println(response2.getProtocolVersion());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
httpclient.getConnectionManager().shutdown();
}
The response I always get back is:
HTTP/1.1 401 Unauthorized
I don't see an SSL handshake in the wire logs and get a 401 unauthorized response. I have tried various combinations of the sample codes with same results.
Note - that I've used FireFox and CURL to do the same thing I'm trying to do here programmatically, and it works fine. So the server appears to be set up correctly. The CURL verbose log show the SSL handshake happening first and the NTLM succeeds as the next step.
I can attach the wire logs if needed.
Thanks a lot for your time!
I appreciate any help and pointers.
The issue seems to be with IIS 7.5 and HTTPClient using NTLM v2 and Windows 2008 R2.
I switched to Java HTTPURLConnection and it works pretty well.
Post with some detail on another issue with the same code here

C2DM server side ClientLogin with java problem

I'm trying to implement the server side of C2DM. I have registered my application with Google via the signup process and received an email confirmation, so my user/pwd should be good. The first step is to retrieve the auth token via the ClientLogin. When I run the code, I get a response code 403 / Forbidden. Anyone have any ideas?
log.info("Obtaining the Google C2DM Client Login token.");
// Make POST request
HttpResponse res = null;
try {
DefaultHttpClient client = new DefaultHttpClient();
URI uri = new URI("https://www.google.com/accounts/ClientLogin");
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("accountType", "HOSTED_OR_GOOGLE"));
params.add(new BasicNameValuePair("Email", "MY_ACCOUNT#gmail.com"));
params.add(new BasicNameValuePair("Password", "MY_PWD"));
params.add(new BasicNameValuePair("service", "ac2dm"));
params.add(new BasicNameValuePair("source", "MY_APP-V0.1"));
HttpPost post = new HttpPost(uri);
UrlEncodedFormEntity entity = new UrlEncodedFormEntity(params, "UTF-8");
post.setEntity(entity);
res = client.execute(post);
} catch (Exception e) {
log.error("Error obtaining the Google C2DM Client Login token.", e);
}
log.debug("response="+res);
if (res != null) {
log.debug("Response status code = "+res.getStatusLine().getStatusCode());
log.debug("Response status = "+res.getStatusLine().getReasonPhrase());
}
My problem was pointed out to me here:
http://blog.boxedice.com/2010/10/07/android-push-notifications-tutorial/
The "Password" parameter name should actually be "Passwd".
Thanks to Dannon for the answer.