How to make NTLM authentication in Apache Nutch work? - authentication

The web crawler Apache Nutch comes with a built-in support for NTLM. I'm trying to use version 1.7 to crawl a web site (Windows Sharepoint) using NTLM authentication. I have setup Nutch according to https://wiki.apache.org/nutch/HttpAuthenticationSchemes which means in particular that I have credentials
<credentials username="rickert" password="mypassword">
<authscope host="server-to-be-crawled.com" port="80" realm="CORP" scheme="NTLM"/>
</credentials>
configured. When I look at the log files I can see that Nutch tries to access the seed URL and goes through "normal" NTLM cycle: obtain an 401 error during the first GET, extract the NTLM challenge and send the NTLM authentication in the next GET (using a keep-alive connection). However, the second GET is not successful either.
That's the point when I was suspecting some fundamental problems with my credentials or the specific setup: I'm running Nutch in a Debian guest Virtual Box on a Windows host. But to my surprise both wget and curl were able to retrieve the document from within the Debian guest using my credentials. The interesting thing is that both command line tools ONLY require a username and a password to work. The full fledge NTLM specification, on the other hand, also requires a host and a domain. According to the specs the host is the one that the request originates from which I would interpret as the one that the http-agent is running on, the domain in the Windows domain that the username is associated with. My assumption is that both tools simply leave this details empty.
This is where the configuration of Nutch comes in: the host is allegedly supplied as http.agent.hostin the configuration file. The domain is supposed to be configured as the realm of the credential but the documentation rather says that this a convention and not really necessary. However, it does not matter whether I set a realm or not the result is the same. Again looking at the log file I can see some messages that the authentication is resolved using <any_realm>#server-to-be-crawled.com no matter which realm I use.
My gut feeling is that there is some wrong mapping of the Nutch configuration values onto the NTLM parameters required by the Java class httpclientthat executing the GET. I'm helpless. Can anybody give me some hints as to how to further debug this? Does anybody have a concrete config that works for a SharePoint Server? Thanks!

This is an old thread but it seems to be a common problem and I finally found a solution.
In my case the issue was that the content source that I was trying to crawl was hosted on a fairly up to date IIS server. Inspection of the headers indicated that it was using NTLMv1, but after reading that the Apache Commons HttpClient v3.x only supports NTLMv1 and not NTLMv2 I went looking for a way to add that support to nutch v1.15 without upgrading to the newer HttpComponents version of HttpClient.
The clue is in the documentation for the newer HC version of HttpClient
So, using this approach with JCIFS I managed to modify the nutch protocol-httpclient Http class so that it used my new JCIFS based NTLM scheme for authentication. Steps to do this:
Create new JCIFS based NTLMScheme
In Http.configureClient, register the use of the new scheme
Add JCIFS to the nutch protocol-httpclient plugin classpath
Job done, I was able to then crawl NTLMv2 protected websites.
By also adding lots of extra logging I could then see the authentication handshake details which showed it was in fact NTLMv2 being used.
The change in Http.configureClient looks like this:
/** Configures the HTTP client */
private void configureClient() {
LOG.info("Setting new NTLM scheme: " + JcifsNtlmScheme.class.getName());
AuthPolicy.registerAuthScheme(AuthPolicy.NTLM, JcifsNtlmScheme.class);
...
}
The new NTLM scheme implementation looks like this (needs a bit of tidying up).
public class JcifsNtlmScheme implements AuthScheme {
public static final Logger LOG = LoggerFactory.getLogger(JcifsNtlmScheme.class);
/** NTLM challenge string. */
private String ntlmchallenge = null;
private static final int UNINITIATED = 0;
private static final int INITIATED = 1;
private static final int TYPE1_MSG_GENERATED = 2;
private static final int TYPE2_MSG_RECEIVED = 3;
private static final int TYPE3_MSG_GENERATED = 4;
private static final int FAILED = Integer.MAX_VALUE;
/** Authentication process state */
private int state;
public JcifsNtlmScheme() throws AuthenticationException {
// Check if JCIFS is present. If not present, do not proceed.
try {
Class.forName("jcifs.ntlmssp.NtlmMessage", false, this.getClass().getClassLoader());
LOG.trace("jcifs.ntlmssp.NtlmMessage is present");
} catch (ClassNotFoundException e) {
throw new AuthenticationException("Unable to proceed as JCIFS library is not found.");
}
}
public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
LOG.trace("authenticate called. State: " + this.state);
if (this.state == UNINITIATED) {
throw new IllegalStateException("NTLM authentication process has not been initiated");
}
NTCredentials ntcredentials = null;
try {
ntcredentials = (NTCredentials) credentials;
} catch (ClassCastException e) {
throw new InvalidCredentialsException(
"Credentials cannot be used for NTLM authentication: " + credentials.getClass().getName());
}
NTLM ntlm = new NTLM();
String charset = method.getParams().getCredentialCharset();
LOG.trace("Setting credential charset to: " + charset);
ntlm.setCredentialCharset(charset);
String response = null;
if (this.state == INITIATED || this.state == FAILED) {
LOG.trace("Generating TYPE1 message");
response = ntlm.generateType1Msg(ntcredentials.getHost(), ntcredentials.getDomain());
this.state = TYPE1_MSG_GENERATED;
} else {
LOG.trace("Generating TYPE3 message");
response = ntlm.generateType3Msg(ntcredentials.getUserName(), ntcredentials.getPassword(),
ntcredentials.getHost(), ntcredentials.getDomain(), this.ntlmchallenge);
this.state = TYPE3_MSG_GENERATED;
}
String result = "NTLM " + response;
return result;
}
public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
throw new RuntimeException("Not implemented as it is deprecated anyway in Httpclient 3.x");
}
public String getID() {
throw new RuntimeException("Not implemented as it is deprecated anyway in Httpclient 3.x");
}
/**
* Returns the authentication parameter with the given name, if available.
*
*
* There are no valid parameters for NTLM authentication so this method always
* returns null.
*
*
* #param name The name of the parameter to be returned
*
* #return the parameter with the given name
*/
public String getParameter(String name) {
if (name == null) {
throw new IllegalArgumentException("Parameter name may not be null");
}
return null;
}
/**
* The concept of an authentication realm is not supported by the NTLM
* authentication scheme. Always returns null.
*
* #return null
*/
public String getRealm() {
return null;
}
/**
* Returns textual designation of the NTLM authentication scheme.
*
* #return ntlm
*/
public String getSchemeName() {
return "ntlm";
}
/**
* Tests if the NTLM authentication process has been completed.
*
* #return true if Basic authorization has been processed,
* false otherwise.
*
* #since 3.0
*/
public boolean isComplete() {
boolean result = this.state == TYPE3_MSG_GENERATED || this.state == FAILED;
LOG.trace("isComplete? " + result);
return result;
}
/**
* Returns true. NTLM authentication scheme is connection based.
*
* #return true.
*
* #since 3.0
*/
public boolean isConnectionBased() {
return true;
}
/**
* Processes the NTLM challenge.
*
* #param challenge the challenge string
*
* #throws MalformedChallengeException is thrown if the authentication challenge
* is malformed
*
* #since 3.0
*/
public void processChallenge(final String challenge) throws MalformedChallengeException {
String s = AuthChallengeParser.extractScheme(challenge);
LOG.trace("processChallenge called. challenge: " + challenge + " scheme: " + s);
if (!s.equalsIgnoreCase(getSchemeName())) {
LOG.trace("Invalid scheme name in challenge. Should be: " + getSchemeName());
throw new MalformedChallengeException("Invalid NTLM challenge: " + challenge);
}
int i = challenge.indexOf(' ');
if (i != -1) {
LOG.trace("processChallenge: TYPE2 message received");
s = challenge.substring(i, challenge.length());
this.ntlmchallenge = s.trim();
this.state = TYPE2_MSG_RECEIVED;
} else {
this.ntlmchallenge = "";
if (this.state == UNINITIATED) {
this.state = INITIATED;
LOG.trace("State was UNINITIATED, switching to INITIATED");
} else {
LOG.trace("State is FAILED");
this.state = FAILED;
}
}
}
private class NTLM {
/** Character encoding */
public static final String DEFAULT_CHARSET = "ASCII";
/**
* The character was used by 3.x's NTLM to encode the username and password.
* Apparently, this is not needed in when passing username, password from
* NTCredentials to the JCIFS library
*/
private String credentialCharset = DEFAULT_CHARSET;
void setCredentialCharset(String credentialCharset) {
this.credentialCharset = credentialCharset;
}
private String generateType1Msg(String host, String domain) {
jcifs.ntlmssp.Type1Message t1m = new jcifs.ntlmssp.Type1Message(
jcifs.ntlmssp.Type1Message.getDefaultFlags(), domain, host);
String result = jcifs.util.Base64.encode(t1m.toByteArray());
LOG.trace("generateType1Msg: " + result);
return result;
}
private String generateType3Msg(String username, String password, String host, String domain,
String challenge) {
jcifs.ntlmssp.Type2Message t2m;
try {
t2m = new jcifs.ntlmssp.Type2Message(jcifs.util.Base64.decode(challenge));
} catch (IOException e) {
throw new RuntimeException("Invalid Type2 message", e);
}
jcifs.ntlmssp.Type3Message t3m = new jcifs.ntlmssp.Type3Message(t2m, password, domain, username, host, 0);
String result = jcifs.util.Base64.encode(t3m.toByteArray());
LOG.trace("generateType3Msg username: [" + username + "] host: [" + host + "] domain: [" + domain
+ "] response: [" + result + "]");
return result;
}
}
}

Related

Eclipse Scout authentication failure - No UserAgent set on calling context

I am using Eclipse Scout 22 and I connect my Scout application to a REST server using a modified credential verifier for user authentication. I just discovered that if I try to login using any other username apart from admin, login fails, and I get the following message on the Eclipse IDE console
No UserAgent set on calling context; include default in service-request
2023-01-28 18:17:45,280 WARN [qtp1624820151-19] org.eclipse.scout.rt.shared.servicetunnel.AbstractServiceTunnel.interceptRequest(AbstractServiceTunnel.java:84) - No UserAgent set on calling context; include default in service-request - MDC[]
Here is my credential verifier
package org.eclipse.scout.apps.ygapp.shared.security;
public class RestCredentialVerifier implements ICredentialVerifier {
private static final Logger LOG = LoggerFactory.getLogger(RestCredentialVerifier.class);
#Override
public int verify(String username, char[] passwordPlainText) throws IOException {
LOG.debug("Method \"verify\" in RestCredentialVerifier. User " + username);
// Test for missing username or password
if (StringUtility.isNullOrEmpty(username) || passwordPlainText == null
|| passwordPlainText.length == 0) {
throw new VetoException(TEXTS.get("MissingUsernameOrPassword"));
}
// Test for non-conforming password
// Password MUST have between 8 to 20 characters with a minimum of one uppercase, one lowercase,
// one number, one special character and without spaces
if ((passwordPlainText.length < 8) || (passwordPlainText.length > 20)) {
throw new VetoException(TEXTS.get("ThePasswordMustHaveBetween820Characters"));
}
Subject subject = new Subject();
subject.getPrincipals().add(new SimplePrincipal("system"));
subject.setReadOnly();
RunContext runContext = RunContexts.empty().withLocale(Locale.getDefault()); // OK
// RunContext runContext = RunContexts.copyCurrent(true).withSubject(subject); // Fails
Map<String, String> result = runContext.call(new Callable<Map<String, String>>() {
#Override
public Map<String, String> call() throws Exception {
return BEANS.get(IRestAuthenticationService.class).verify(username, passwordPlainText));
}
});
LOG.debug("Leaving method \"verify\" in RestCredentialVerifier. User " + username);
if (result.containsKey("message")
&& result.get("message").equals(TEXTS.get("YouAreNowConnectedToTheServer"))) {
return AUTH_OK;
} else {
return AUTH_FAILED;
}
}
}
Thanks a lot for your kind assistance.
Cheers,
JDaniel

Netty: How to implement a telnet client handler which needs authentication

This is my first time ask question through this platform. I am sorry. I am not good in English. I will try my best to let you understand my questions.
I am totally beginner in Netty. I would like to implement a program to send commands to a telnet server and receive response message. I modified the sample telnet program to connect and get response from the serve when there is no authentication of serve.
The question is that
When the authentication processes are setup in server. (Require login name and password)
How to implement the client side program?
How can I receive the serve login request and response it?
Should I implement another handler to handle the authentication?
below shows how i send the commands to the server
EventLoopGroup group = new NioEventLoopGroup();
try {
Bootstrap b = new Bootstrap();
b.group(group)
.channel(NioSocketChannel.class)
.handler(new TelnetClientInitializer(sslCtx));
// Start the connection attempt.
ChannelFuture lastWriteFuture = null;
lastWriteFuture = b.connect(HOST, PORT).sync();
Channel ch = lastWriteFuture.channel();
lastWriteFuture = ch.writeAndFlush("ls" + "\r\n", ch.newPromise());
lastWriteFuture = ch.writeAndFlush("status" + "\r\n");
lastWriteFuture = ch.writeAndFlush("ls" + "\r\n");
lastWriteFuture = ch.writeAndFlush("exit" + "\r\n");
// Wait until the connection is closed.
lastWriteFuture.channel().closeFuture().sync();
} finally {
// Shut down the event loop to terminate all threads.
group.shutdownGracefully();
}
but what should i do before send the above commands to login into the serve?
The following picture shows what i want to do in the program
Thank you very much!!!
If we talk about TELNET as a protocol you should know that Telnet client from Netty examples does not support TELNET protocol. His name is just confusing and you can't connect to any standard telnet servers. You can read more about TELNET protocol here - THE TELNET PROTOCOL .
I see 2 ways:
write your implementation for TELNET on Netty
use another implementation for examples Apache Commons Net
Example for the first way - modified netty client, i tested him on Linux servers. He has several dirty hacks like a timer but he works.
Example for the second - Java – Writing An Automated Telnet Client:
import org.apache.commons.net.telnet.*;
import java.io.InputStream;
import java.io.PrintStream;
public class AutomatedTelnetClient {
private TelnetClient telnet = new TelnetClient();
private InputStream in;
private PrintStream out;
private String prompt = "~>";
public AutomatedTelnetClient(String server) {
try {
// Connect to the specified server
telnet.connect(server, 8023);
TerminalTypeOptionHandler ttopt = new TerminalTypeOptionHandler("VT100", false, false, true, false);
EchoOptionHandler echoopt = new EchoOptionHandler(true, false, true, false);
SuppressGAOptionHandler gaopt = new SuppressGAOptionHandler(true, true, true, true);
try {
telnet.addOptionHandler(ttopt);
telnet.addOptionHandler(echoopt);
telnet.addOptionHandler(gaopt);
} catch (InvalidTelnetOptionException e) {
System.err.println("Error registering option handlers: " + e.getMessage());
}
// Get input and output stream references
in = telnet.getInputStream();
out = new PrintStream(telnet.getOutputStream());
} catch (Exception e) {
e.printStackTrace();
}
}
// public void su(String password) {
// try {
// write(“su”);
// readUntil(“Password: “);
// write(password);
// prompt = “#”;
// readUntil(prompt + ” “);
// } catch (Exception e) {
// e.printStackTrace();
// }
// }
public String readUntil(String pattern) {
try {
char lastChar = pattern.charAt(pattern.length() - 1);
StringBuffer sb = new StringBuffer();
boolean found = false;
char ch = (char) in.read();
while (true) {
System.out.print(ch);
sb.append(ch);
if (ch == lastChar) {
if (sb.toString().endsWith(pattern)) {
return sb.toString();
}
}
ch = (char) in.read();
}
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public void write(String value) {
try {
out.println(value);
out.flush();
System.out.println(value);
} catch (Exception e) {
e.printStackTrace();
}
}
public String sendCommand(String command) {
try {
write(command);
return readUntil(prompt + " ");
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public void disconnect() {
try {
telnet.disconnect();
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
String user = "test";
String password = "test";
AutomatedTelnetClient telnet = new AutomatedTelnetClient("localhost");
// Log the user on
telnet.readUntil("login:");
telnet.write(user);
telnet.readUntil("Password:");
telnet.write(password);
// Advance to a prompt
telnet.readUntil(telnet.prompt + " ");
telnet.sendCommand("ps -ef");
telnet.sendCommand("ls");
telnet.sendCommand("w");
telnet.disconnect();
}
}
Telnet has no real concept of a password packet, a password prompt is just like any normal text output. This means that you can just send the username and password when connection as separate lines, and the telnet server will use them correctly.
ch.writeAndFlush("administrator" + "\r\n");
ch.writeAndFlush("LetMeIn4!!" + "\r\n");
If you require connecting to server that don't always require the password, then you should read the output from the server, check if it contains "username", send the username, then keep reading if it contains "password" and send the password. This is prone to breaking as servers are not required to send those strings, and legit output may also contain those. This is the downside of the telnet protocol.
I hope this my article is helpful to someone.
Netty | Implement Telnet Automated Authentication
I had to use Telnet to control the sub-equipment while developing the space ground station software. Except for the authentication, Telnet is quite similar to regular TCP server communication. So, I implemented a Handler that automatically handles Telnet authentication to communicate with the Telnet server. When connecting to the Telnet server, the following introductory message, “Username: “, “Passwrod: “ messages are displayed in sequence, and user authentication is requested. Handler automatically handles the authentication process as if a human would input account information. Below is a brief description of the implementation.
c:\> telnet 192.168.0.1 12345
Power On Self Test (POST) Passed.
Integrated Control Unit (ICU) Build xxx (Build:xxxxxx) - Feb 7 2022, 17:57:16 (Network/TCP)
Date and Time: 2022-02-16 20:01:19 (GMT)
MAC Address : [00:xx:xx:xx:C6:8F]
Username: User
Password: 1234
>
Handler
TelnetAuthenticator Handler simply works as follows.
If the message contains the string “Username: “, send the username.
If the message contains the string “Password: “, the password is sent.
If the message contains the string “>” waiting for input, delete the authentication handler from the Pipeline. After authentication, TelnetAuthenticator Handler is unnecessary.
If the account is not registered on the Telnet server or the password does not match, the string “Username: “ or “Password: “ is repeatedly received. The authentication failure error is unrecoverable, notifying the user of a failed authentication process and forcing them to disconnect.
#Slf4j
#RequiredArgsConstructor
public class TelnetAuthenticator extends SimpleChannelInboundHandler<String> {
private final ChannelSpec channelSpec;
private boolean alreadyUserTried = false;
private boolean alreadyPasswordTried = false;
#Override
protected void channelRead0(ChannelHandlerContext ctx, String msg) {
// If the message contains the string “Username: “, send the username.
if (msg.contains(channelSpec.getReqUserTag())) {
if (alreadyUserTried) {
processFail(ctx);
}
ctx.channel().writeAndFlush(channelSpec.getAccount().getUser() + channelSpec.getEndLine());
alreadyUserTried = true;
return;
}
// If the message contains the string “Password: “, the password is sent.
if (msg.contains(channelSpec.getReqPasswordTag())) {
if (alreadyPasswordTried) {
processFail(ctx);
}
ctx.channel().writeAndFlush(channelSpec.getAccount().getPassword() + channelSpec.getEndLine());
alreadyPasswordTried = true;
return;
}
// If the incoming message contains an input waiting message, the Pipeline deletes the current handler.
if (msg.contains(channelSpec.getStandByTag())) {
ctx.pipeline().remove(this.getClass());
}
}
private void processFail(ChannelHandlerContext ctx) {
ctx.fireUserEventTriggered(ErrorMessage.AUTHENTICATE_FAIL);
ctx.close();
}
}
Initialize ChannelPipeline
A ChannelPipeline configuration with a TelnetAuthenticator Handler can be: First, register InboundHandlers as follows.
First, add DelimiterBasedFrameDecoder with “Username: “, “Password: “, “>” strings as delimiters. The stripDelimiter option is set to false because all delimiters must be received to recognize the authentication process.
Add StringDecoder.
Add the implemented TelnetAuthenticator Handler.
Add other necessary business logic.
Simply add StringEncoder to Outbound. You can add other Handlers as needed.
public class PipelineInitializer extends ChannelInitializer<SocketChannel> {
private ChannelSpec channelSpec;
public void init(ChannelSpec channelSpec) {
this.channelSpec = channelSpec;
}
#Override
protected void initChannel(SocketChannel ch) throws Exception {
ch.pipeline()
// Inbound
.addLast(new DelimiterBasedFrameDecoder(1024, false,
channelSpec.getDelimiter().reqUserTag(),
channelSpec.getDelimiter().reqPasswordTag(),
channelSpec.getDelimiter().standByTag()))
.addLast(new StringDecoder())
.addLast(new TelnetAuthenticator(channelSpec))
.addLast(new BusinessLogic())
// Outbound
.addLast(new StringEncoder());
}
}
ChannelSpec
ChannelSpec defines specifications required for communication with Telnet server. Manage server IP, port, account information, separator, etc.
#Getter
public class ChannelSpec {
private final String serverIp = "192.168.0.1";
private final int serverPort = 12345;
private final String endLine = "\r\n";
private final String standByTag = ">";
private final String reqUserTag = "Username: ";
private final String reqPasswordTag = "Password: ";
private final Account account = new Account("User", "1234");
private final Delimiter delimiter = new Delimiter();
public class Delimiter {
public ByteBuf standByTag() {
return toByteBuf(standByTag);
}
public ByteBuf reqUserTag() {
return toByteBuf(reqUserTag);
}
public ByteBuf reqPasswordTag() {
return toByteBuf(reqPasswordTag);
}
private ByteBuf toByteBuf(String input) {
ByteBuf delimiterBuf = Unpooled.buffer();
delimiterBuf.writeCharSequence(input, StandardCharsets.UTF_8);
return delimiterBuf;
}
}
}
#RequiredArgsConstructor
#Getter
public class Account {
private final String user;
private final String password;
}

Apache CXF | JAX RS LoggingOutInterceptor - Access HttpServletRequest object

Folks,
I'm using Apache CXF (JAX-RS)'s LoggingInInterceptor and LoggingOutInterceptor to log the request and response objects to my web service and also to log the response time.
For this, I have extended both these classes and done relevant configuration in the appropriate XML files. Doing this, I was able to log the request and response object.
However, I also want to log the request URL in both these interceptors. I was able to get the HttpServletRequest object (Inside the LoggingInInterceptor) using the following:
HttpServletRequest request = (HttpServletRequest)message.get(AbstractHTTPDestination.HTTP_REQUEST);
Then, from the request object I was able to get the request URL (REST URL in my case). I was however, not able to get the request object in the LoggingOutInterceptor using this code (or by any other means).
Here is a summary of the issue:
I need to access the reqeuest URI inside the LoggingOutInterceptor (using HttpServletRequest object perhaps?).
Would appreciate any help on this.
Update: Adding the interceptor code.
public class StorefrontRestInboundInterceptor extends LoggingInInterceptor {
/**
* constructor.
*/
public StorefrontRestInboundInterceptor() {
super();
}
#Override
public void handleMessage(final Message message) throws Fault {
HttpServletRequest httpRequest = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
if (isLoggingRequired()) {
String requestUrl = (String) message.getExchange().get("requestUrl");
Date requestTime = timeService.getCurrentTime();
LOG.info("Performance Monitor started for session id:" + customerSession.getGuid());
LOG.info(httpRequest.getRequestURI() + " Start time for SessionID " + customerSession.getGuid() + ": "
+ requestTime.toString());
}
try {
InputStream inputStream = message.getContent(InputStream.class);
CachedOutputStream outputStream = new CachedOutputStream();
IOUtils.copy(inputStream, outputStream);
outputStream.flush();
message.setContent(InputStream.class, outputStream.getInputStream());
LOG.info("Request object for " + httpRequest.getRequestURI() + " :" + outputStream.getInputStream());
inputStream.close();
outputStream.close();
} catch (Exception ex) {
LOG.info("Error occured reading the input stream for " + httpRequest.getRequestURI());
}
}
public class StorefrontRestOutboundInterceptor extends LoggingOutInterceptor {
/**
* logger implementation.
*/
protected static final Logger LOG = Logger.getLogger(StorefrontRestOutboundInterceptor.class);
/**
* constructor.
*/
public StorefrontRestOutboundInterceptor() {
super(Phase.PRE_STREAM);
}
#Override
public void handleMessage(final Message message) throws Fault {
if (isLoggingRequired()) {
LOG.info(requestUrl + " End time for SessionID " + customerGuid + ": " + (timeService.getCurrentTime().getTime() - requestTime)
+ " milliseconds taken.");
LOG.info("Performance Monitor ends for session id:" + customerGuid);
}
OutputStream out = message.getContent(OutputStream.class);
final CacheAndWriteOutputStream newOut = new CacheAndWriteOutputStream(out);
message.setContent(OutputStream.class, newOut);
newOut.registerCallback(new LoggingCallback(requestUrl));
}
public class LoggingCallback implements CachedOutputStreamCallback {
private final String requestUrl;
/**
*
* #param requestUrl requestUrl.
*/
public LoggingCallback(final String requestUrl) {
this.requestUrl = requestUrl;
}
/**
* #param cos CachedOutputStream.
*/
public void onFlush(final CachedOutputStream cos) { //NOPMD
}
/**
* #param cos CachedOutputStream.
*/
public void onClose(final CachedOutputStream cos) {
try {
StringBuilder builder = new StringBuilder();
cos.writeCacheTo(builder, limit);
LOG.info("Request object for " + requestUrl + " :" + builder.toString());
} catch (Exception e) {
LOG.info("Error occured writing the response object for " + requestUrl);
}
}
}
Update:Since you are in Out chain you may need to get the In message from where you can get the request URI since the Request URI may null for out going response message.
You may try like this to get the Incoming message:
Message incoming = message.getExchange().getInMessage();
Then I think you should be able to get the Request URI using:
String requestURI = (String) incoming.get(Message.REQUEST_URI);
or
String endpointURI = (String) incoming.get(Message.ENDPOINT_ADDRESS);
If this is still not working, try to run the interceptor in PRE_STREAM phase like Phase.PRE_STREAM in your constructor.
You can also try to get the message from Interceptor Chain like this:
PhaseInterceptorChain chain = message.getInterceptorChain();
Message currentMessage = chain.getCurrentMessage();
HttpServletRequest req = (HttpServletRequest) currentMessage.get("HTTP.REQUEST");

Basic Auth to Receive Token in Spring Security

I am implementing a RESTful API where the user must authenticate. I want the user to POST their credentials in order to receive a JSON web token (JWT), which is then used for the remainder of the session. I have not found any good sources of information to set this up. In particular, I'm having trouble with the filter. Does anybody have any information or tutorials to help me set this up?
The people at Stormpath have quite a straightforward solution for achieving Oauth. Please take a look at Using Stormpath for API Authentication.
As a summary, your solution will look like this:
You will use the Stormpath Java SDK to easily delegate all your user-management needs.
When the user presses the login button, your front end will send the credentials securely to your backend-end through its REST API.
By the way, you can also completely delegate the login/register/logout functionality to the Servlet Plugin. Stormpath also supports Google, Facebook, LinkedIn and Github login.
Your backend will then try to authenticate the user against the Stormpath Backend and will return an access token as a result:
/**
* Authenticates via username (or email) and password and returns a new access token using the Account's ApiKey
*/
public String getAccessToken(String usernameOrEmail, String password) {
ApiKey apiKey = null;
try {
AuthenticationRequest request = new UsernamePasswordRequest(usernameOrEmail, password);
AuthenticationResult result = application.authenticateAccount(request);
Account account = result.getAccount();
ApiKeyList apiKeys = account.getApiKeys();
for (ApiKey ak : apiKeys) {
apiKey = ak;
break;
}
if (apiKey == null) {
//this account does not yet have an apiKey
apiKey = account.createApiKey();
}
} catch (ResourceException exception) {
System.out.println("Authentication Error: " + exception.getMessage());
throw exception;
}
return getAccessToken(apiKey);
}
private String getAccessToken(ApiKey apiKey) {
HttpRequest request = createOauthAuthenticationRequest(apiKey);
AccessTokenResult accessTokenResult = (AccessTokenResult) application.authenticateApiRequest(request);
return accessTokenResult.getTokenResponse().getAccessToken();
}
private HttpRequest createOauthAuthenticationRequest(ApiKey apiKey) {
try {
String credentials = apiKey.getId() + ":" + apiKey.getSecret();
Map<String, String[]> headers = new LinkedHashMap<String, String[]>();
headers.put("Accept", new String[]{"application/json"});
headers.put("Content-Type", new String[]{"application/x-www-form-urlencoded"});
headers.put("Authorization", new String[]{"Basic " + Base64.encodeBase64String(credentials.getBytes("UTF-8"))});
Map<String, String[]> parameters = new LinkedHashMap<String, String[]>();
parameters.put("grant_type", new String[]{"client_credentials"});
HttpRequest request = HttpRequests.method(HttpMethod.POST)
.headers(headers)
.parameters(parameters)
.build();
return request;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
Then, for every authenticated request, your backend will do:
/** This is your protected API */
public void sayHello(String accessToken) throws OauthAuthenticationException {
try {
if (verify(accessToken)) {
doStartEngines(); //Here you will actually call your internal doStartEngines() operation
}
} catch (OauthAuthenticationException e) {
System.out.print("[Server-side] Engines not started. accessToken could not be verified: " + e.getMessage());
throw e;
}
}
private boolean verify(String accessToken) throws OauthAuthenticationException {
HttpRequest request = createRequestForOauth2AuthenticatedOperation(accessToken);
OauthAuthenticationResult result = application.authenticateOauthRequest(request).execute();
System.out.println(result.getAccount().getEmail() + " was successfully verified");
return true;
}
private HttpRequest createRequestForOauth2AuthenticatedOperation(String token) {
try {
Map<String, String[]> headers = new LinkedHashMap<String, String[]>();
headers.put("Accept", new String[]{"application/json"});
headers.put("Authorization", new String[]{"Bearer " + token});
HttpRequest request = HttpRequests.method(HttpMethod.GET)
.headers(headers)
.build();
return request;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
All this will not need any special Spring Security configuration, this is plain Java code that you can run in any framework.
Please take a look here for more information.
Hope that helps!
Disclaimer, I am an active Stormpath contributor.
Here's a working sample code from Spring Security OAuth github.
https://github.com/spring-projects/spring-security-oauth/tree/master/tests/annotation/jwt
You probably don't even need to mess with the filters as shown in the above example. If you've custom needs, please post some sample code.

Interaction with Lotus Connections

I need to get the data from some lotus connection site, for example user's status, from the other site. I try to setup a connection with lotus via java, e.g.
> server = "https://" + path + param + "&format=full";
> URL profiles_url = new URL(server);
> // Open the URL: throws exception if not found
> HttpURLConnection profiles_conn = HttpURLConnection)profiles_url.openConnection();
> profiles_conn.connect();
> // Process the Atom feed in the response content
> readResponse(profiles_url.openStream(),args[0]);
But I always get the Response: HTTP/1.1 401 Unauthorized
Please give me any suggestions?
I solved the authentication issue this way:
protected void doView(RenderRequest rRequest, RenderResponse rResponse) throws PortletException, IOException, UnavailableException {
try {
rResponse.setContentType("text/html");
URL url = new URL(
"https://xxx/activities/service/atom2/todos");
URLConnection con = url.openConnection();
con.setConnectTimeout(150000);
con.setReadTimeout(150000);
writeCookies(con, rRequest);
DO_SOMETHING (con.getInputStream());
} catch (Exception ex) {
ex.printStackTrace();
}
}
private String doesLTPATokenCookieExists(RenderRequest request) {
Cookie[] cookie = request.getCookies();
for (int i = 0; i < cookie.length; i++) {
System.out.println("Cookie Name " + cookie[i].getName());
if (cookie[i].getName().equals("LtpaToken"))
return cookie[i].getValue();
}
return null;
}
public URLConnection writeCookies(URLConnection urlConn,
RenderRequest request) {
String cookieString = "";
cookieString += "LtpaToken" + "=" + doesLTPATokenCookieExists(request) + "; ";
urlConn.setRequestProperty("Cookie", cookieString);
return urlConn;
}
You don't mention how you're authenticating, which is crucial. As the 401 error implies, Connections isn't treating your request as being authenticated. You need a valid Authenticator instance in there, but your code snippet suggests you haven't got that going, correct?
(As an aside, the Apache Abdera project is recommended when working with the Lotus Connections API).