[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-user
Subject: Re: AW: NTLM authentication failed (password with non-latin
From: Muller Pierre <pierre.muller () gfi ! fr>
Date: 2011-06-29 12:17:39
Message-ID: 4E0B17E3.5070800 () gfi ! fr
[Download RAW message or body]
Thanks Martin.
Actually I had a look at the HTTPClient trace : there was this warning "Credential \
charset not configured, using HTTP element charset". Thus I tried your conf directive \
and other directives too : \
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CHAR_SET_ENCODING, \
new String("utf-16")); \
stub._getServiceClient().getOptions().setProperty("CHARACTER_SET_ENCODING", new \
String("utf-16")); DefaultHttpParams.getDefaultParams().setParameter("http.protocol.credential-charset", \
new String("utf-16"));
Only the last one makes the warning disappear, which is good.
But I tried several charsets (utf-16,utf-8,iso-8859-1,cp1252), with and without \
U+00E9 ("myPasswordWithLetter_é" or "myPasswordWithLetter_\u00e9") : no success, I \
always get the same 401.1 error !!
Cordialement,
Pierre Muller
Le 28/06/2011 17:15, Martin Gainty a écrit :
options.setProperty("CHARACTER_SET_ENCODING",new String("UTF-16");
when configuring the text part instead of typing displayable ASCII character é try
U+00E9
http://en.wikipedia.org/wiki/ASCII#Unicode
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de \
déni et de confidentialité
Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse \
azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. \
Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. \
Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi \
felelöség nem terhelhet ezen üzenet tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, \
so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder \
Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch \
von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der \
leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt \
uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le \
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez \
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est \
interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel \
effet légalement obligatoire. Étant donné que les email peuvent facilement être \
sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le \
contenu fourni.
________________________________
From: pierre.muller@gfi.fr<mailto:pierre.muller@gfi.fr>
To: java-user@axis.apache.org<mailto:java-user@axis.apache.org>
Date: Tue, 28 Jun 2011 06:21:40 -0700
Subject: Re: AW: NTLM authentication failed (password with non-latin characters)
Thanks for the answer.
Actually I don't know how axis2 manages its stored-hashed. I can't say what happens \
to the "é" because I pass the password to HttpTransportProperties.Authenticator and I \
see it again in TCPMonitor as a NTLM hashed string, in which I can't say how "é" has \
been used.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. \
A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string? I pass the \
password-string to HttpTransportProperties.Authenticator , I don't use any other \
tool. The password-string is a standard Java String object, which means (in my \
understanding of the \
javadoc<http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html> ) \
represented in UTF-16 and which libraries like axis2 should probably handle to take \
care of encoding issues.
Authenticating in a browser with the "é" works correctly (while accessing the WSDL). \
Authenticating in Outlook also works correctly with this password. The 401 error only \
occurs with the axis2 client application...
Any idea ?
Cordialement,
Pierre Muller
Le 27/06/2011 17:36, Stadelmann Josef a écrit :
Somewhere there is a password data base which has stored password-hashes or the like.
Lets refer to it as stored-hashes.
If the way hashes are generated from passwords, then transferred, then stored by \
some tool differs from the way hashes are generated, transferred and used toward the \
hasher by axis2 e all,
in example by passing in one or the other direction a Iso-Latin-to-UTF-8 converter in \
the later case,
then the chance is real great that we will never reach a match on the hashes.
So what happens to the "é" in sequence? How is it sent from client to server, as \
UTF-8 or as ISO-LATIN-1? TCP Monitor on a non-hashed transfer can tell you that.
What is the tool used to generate and store the passwords?
What does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. \
A ISO-LATIN-encode-strings or 3. A double-byte-encoded -Unicode-string?
As the password generator is potentially a Microsoft one, I would suggest the \
"hasher" receives a double-byte-encoded-UNICODE-strings for an "é"
BUT
The axis2-web-service receives potentially a "double-byte-encoded-UTF-8-string" for a \
single "é" and without converting this 2 bytes to UNICODE prior to passing it to the \
hasher the hasher will generate something different then what is stored in the \
password-database and the match fails and results in UNAUTHENTICATED.
Josef
Von: Muller Pierre [mailto:pierre.muller@gfi.fr]
Gesendet: Montag, 27. Juni 2011 15:03
An: java-user@axis.apache.org<mailto:java-user@axis.apache.org>
Betreff: NTLM authentication failed (password with non-latin characters)
Hello,
I'm working on a web application consuming web services with Axis2. Client classes \
are generated from a WSDL file with the XMLBeans method. The web services require \
NTLM authentication, which I set up in my application.
Everything's fine, the application works as expected (able to authenticate, able to \
use services). Except in one case : when the NTLM password contains accents, e.g. \
"myPasswordWithLetter_é". Does someone know about this, is this a filed bug for Axis2 \
(I couldn't find anythind on it so far) ? Are there any solutions to bypass it ?
Thanks
Pierre
More detailed information :
1. The services requested are Exchange Web Service ones. Again, it's working fine for \
passwords without accents.
2. My authentication code is :
URL endpoint = new URL(...);
HttpTransportProperties.Authenticator authenticator = new \
HttpTransportProperties.Authenticator(); \
authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM));
authenticator.setUsername("user");
authenticator.setPassword("myPasswordWithLetter_é");
authenticator.setHost(endpoint.getHost());
authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort()
: endpoint.getProtocol().equalsIgnoreCase("https")? 443 : 80);
authenticator.setDomain(conf.getAgendaHttpAuthDomain());
stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, \
authenticator);
3. The password is showing healthy in Java, no encoding problem.
4. TCPMonitor shows similar behaviours with or without accents in the password : 3 \
POST requests, only the last differing between the expected SOAP response or the \
"HTTP 401.1 Unauthorized" seen below :
Application request
Server response
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Host: vm-iodasxch:8989
Transfer-Encoding: chunked
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .
HTTP/1.1 401 Unauthorized
Content-Length: 1897
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE \
hPU1RJT0RBU1hDSA==
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope ..
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA \
AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY \
ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw \
AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB \
jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg \
BpAC4AcAByAGkAdgBhAHQAZQAAAAAA
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"<http://schemas.microsoft.com/exchange/services/2006/messages/FindItem>
User-Agent: Axis2
Transfer-Encoding: chunked
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA \
BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU \
1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I=
Host: localhost:8989
322
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope .
HTTP/1.1 401 Unauthorized
Content-Length: 1776
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2011 10:05:06 GMT
--
Cordialement,
Pierre Muller
Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels \
et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce \
message non conforme à sa destination, toute diffusion ou toute publication, totale \
ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez \
ce message par erreur, merci de le détruire sans en conserver de copie et d'en \
avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir \
l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au \
titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et \
malgré toutes les précautions prises pour éviter la présence de virus dans nos \
envois, nous vous recommandons de prendre, de votre côté, les mesures permettant \
d'assurer la non-introduction de virus dans votre système informatique. This email \
message and any attachments ("the email") are confidential and intended only for the \
recipient(s) indicated. If you are not an intended recipient, please be advised that \
any use, dissemination, forwarding or copying of this email whatsoever is prohibited \
without prior written consent. If you have received this email in error, please \
delete it without saving a copy and notify the sender immediately. Internet emails \
are not necessarily secured, and GFI Informatique Group declines responsibility for \
any changes that may have been made to this email after it was sent. While we take \
all reasonable precautions to ensure that viruses are not transmitted via emails, we \
recommend that you take your own measures to prevent viruses from entering your \
computer system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels \
et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce \
message non conforme à sa destination, toute diffusion ou toute publication, totale \
ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez \
ce message par erreur, merci de le détruire sans en conserver de copie et d'en \
avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir \
l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au \
titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et \
malgré toutes les précautions prises pour éviter la présence de virus dans nos \
envois, nous vous recommandons de prendre, de votre côté, les mesures permettant \
d'assurer la non-introduction de virus dans votre système informatique. This email \
message and any attachments ("the email") are confidential and intended only for the \
recipient(s) indicated. If you are not an intended recipient, please be advised that \
any use, dissemination, forwarding or copying of this email whatsoever is prohibited \
without prior written consent. If you have received this email in error, please \
delete it without saving a copy and notify the sender immediately. Internet emails \
are not necessarily secured, and GFI Informatique Group declines responsibility for \
any changes that may have been made to this email after it was sent. While we take \
all reasonable precautions to ensure that viruses are not transmitted via emails, we \
recommend that you take your own measures to prevent viruses from entering your \
computer system.
Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels \
et établis à l'intention exclusive de ses destinataires. Toute utilisation de ce \
message non conforme à sa destination, toute diffusion ou toute publication, totale \
ou partielle, est interdite, sauf autorisation expresse des parties. Si vous recevez \
ce message par erreur, merci de le détruire sans en conserver de copie et d'en \
avertir immédiatement l'expéditeur. Internet ne permettant pas de garantir \
l'intégrité de ce message, le groupe GFI Informatique décline toute responsabilité au \
titre de ce message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et \
malgré toutes les précautions prises pour éviter la présence de virus dans nos \
envois, nous vous recommandons de prendre, de votre côté, les mesures permettant \
d'assurer la non-introduction de virus dans votre système informatique. This email \
message and any attachments ("the email") are confidential and intended only for the \
recipient(s) indicated. If you are not an intended recipient, please be advised that \
any use, dissemination, forwarding or copying of this email whatsoever is prohibited \
without prior written consent. If you have received this email in error, please \
delete it without saving a copy and notify the sender immediately. Internet emails \
are not necessarily secured, and GFI Informatique Group declines responsibility for \
any changes that may have been made to this email after it was sent. While we take \
all reasonable precautions to ensure that viruses are not transmitted via emails, we \
recommend that you take your own measures to prevent viruses from entering your \
computer system.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">
Thanks Martin.<br>
Actually I had a look at the HTTPClient trace : there was this warning \
"<tt>Credential charset not configured, using HTTP element \
charset</tt>".<br> Thus I tried your conf directive and other directives too \
:<br> <tt>stub._getServiceClient().getOptions().setProperty(HTTPConstants.CHAR_SET_ENCODING, \
new String("utf-16"));<br> \
stub._getServiceClient().getOptions().setProperty("CHARACTER_SET_ENCODING", \
new String("utf-16"));<br> \
<b>DefaultHttpParams.getDefaultParams().setParameter("http.protocol.credential-charset", \
new String("utf-16"));<br> </b></tt><br>
Only the last one makes the warning disappear, which is good.<br>
But I tried several charsets (utf-16,utf-8,iso-8859-1,cp1252), with and without \
U+00E9 (<tt>"myPasswordWithLetter_é" </tt>or \
<tt>"myPasswordWithLetter_\u00e9"</tt>) : no success, I always get the same \
401.1 error !!<br> <br>
<br>
<pre class="moz-signature" cols="72">Cordialement,
Pierre Muller</pre>
<br>
Le 28/06/2011 17:15, Martin Gainty a écrit :
<blockquote cite="mid:BLU142-W1161282D4804CD074159FFAE560@phx.gbl" \
type="cite"><style><!--
..hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
<div dir="ltr">options.setProperty("CHARACTER_SET_ENCODING",new \
String("UTF-16");<br> when configuring the text part instead of typing \
displayable ASCII character é try <br>
U+00E9<br>
<br>
<a class="moz-txt-link-freetext" \
href="http://en.wikipedia.org/wiki/ASCII#Unicode">http://en.wikipedia.org/wiki/ASCII#Unicode</a><br>
Martin Gainty <br>
______________________________________________ <br>
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de \
déni et de confidentialité<br> <div> </div>
<div>Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy \
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem \
megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi \
alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen \
megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma \
miatt.<br> <br>
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, \
so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder \
Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch \
von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der \
leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt \
uebernehmen.<br> </div>
<pre>Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le \
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez \
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est \
interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel \
effet légalement obligatoire. Étant donné que les email peuvent facilement être \
sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le \
contenu fourni.</pre> <br>
<br>
<br>
<div>
<hr id="stopSpelling">
From: <a class="moz-txt-link-abbreviated" \
href="mailto:pierre.muller@gfi.fr">pierre.muller@gfi.fr</a><br>
To: <a class="moz-txt-link-abbreviated" \
href="mailto:java-user@axis.apache.org">java-user@axis.apache.org</a><br>
Date: Tue, 28 Jun 2011 06:21:40 -0700<br>
Subject: Re: AW: NTLM authentication failed (password with non-latin characters)<br>
<br>
<meta name="Generator" content="Microsoft SafeHTML">
Thanks for the answer.<br>
Actually I don't know how axis2 manages its stored-hashed. I can't say what happens \
to the "é" because I pass the password to \
HttpTransportProperties.Authenticator and I see it again in TCPMonitor as a NTLM \
hashed string, in which I can't say how "é" has been used.<br>
<br>
<blockquote>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31, 73,
125);" lang="EN-US">What is the tool used to generate and store the \
passwords?</span></p> <span style="font-size: 11pt; font-family:
'Calibri','sans-serif'; color: rgb(31, 73, 125);" lang="EN-US">What \
does it in fact pass to the hashing algorithm? 1. A UTF-8-encoded strings or 2. A \
ISO-LATIN-encode-strings or 3. A double-byte-encoded
-Unicode-string?</span></blockquote>
I pass the password-string to HttpTransportProperties.Authenticator , I don't use any \
other tool. The password-string is a standard Java String object, which means (in my \
understanding of <a moz-do-not-send="true" \
href="http://download.oracle.com/javase/1.5.0/docs/api/java/lang/String.html" \
target="_blank"> the javadoc</a> ) represented in UTF-16 and which libraries like \
axis2 should probably handle to take care of encoding issues.<br> <br>
Authenticating in a browser with the "é" works correctly (while accessing \
the WSDL). Authenticating in Outlook also works correctly with this password. The 401 \
error only occurs with the axis2 client application...<br> <br>
<br>
Any idea ?<br>
<br>
<br>
<pre class="ecxmoz-signature">Cordialement,
Pierre Muller</pre>
<br>
Le 27/06/2011 17:36, Stadelmann Josef a écrit :
<blockquote cite="mid:C76B3518F981E0468383F7E091A595B81F593A@c005815.chres1.doleni.net">
<style>
..ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass \
div.ecxMsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New \
Roman','serif';color:black;}
..ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink
{color:blue;text-decoration:underline;}
..ExternalClass a:visited, .ExternalClass span.ecxMsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
..ExternalClass pre
{margin-bottom:.0001pt;font-size:10.0pt;font-family:'Courier New';color:black;}
..ExternalClass tt
{font-family:'Courier New';}
..ExternalClass span.ecxHTMLVorformatiertZchn
{font-family:Consolas;color:black;}
..ExternalClass span.ecxE-MailFormatvorlage20
{font-family:'Calibri','sans-serif';color:#1F497D;}
..ExternalClass .ecx.MsoChpDefault
{font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;}
..ExternalClass div.ecxWordSection1
{page:WordSection1;}
</style>
<div class="ecxWordSection1">
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">Somewhere there is a password data base \
which has stored password-hashes or the like. </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">Lets refer to it as stored-hashes.
</span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">If the way hashes are generated from \
passwords, then transferred, then stored by some tool differs from the way \
hashes are generated, transferred and used toward the hasher by axis2 e all, \
</span></p> <p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">in example by passing in one or the other \
direction a Iso-Latin-to-UTF-8 converter in the later case, </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">then the chance is real great that we will \
never reach a match on the hashes.</span></p> <p class="ecxMsoNormal"><span \
style="font-size: 11pt; font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">So what happens to the "é" in \
sequence? How is it sent from client to server, as UTF-8 or as ISO-LATIN-1? TCP \
Monitor on a non-hashed transfer can tell you that.</span></p> <p \
class="ecxMsoNormal"><span style="font-size: 11pt; font-family: \
'Calibri','sans-serif'; color: rgb(31, 73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">What is the tool used to generate and store \
the passwords?</span></p> <p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">What does it in fact pass to the hashing \
algorithm? 1. A UTF-8-encoded strings or 2. A ISO-LATIN-encode-strings or 3. A \
double-byte-encoded -Unicode-string?</span></p> <p class="ecxMsoNormal"><span \
style="font-size: 11pt; font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">As the password generator is potentially a \
Microsoft one, I would suggest the "hasher" receives a \
double-byte-encoded-UNICODE-strings for an "é" </span></p> <p \
class="ecxMsoNormal"><span style="font-size: 11pt; font-family: \
'Calibri','sans-serif'; color: rgb(31, 73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">BUT</span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">The axis2-web-service receives potentially \
a "double-byte-encoded-UTF-8-string" for a single "é" and \
without converting this 2 bytes to UNICODE prior to passing it to the hasher the \
hasher will generate something different then what is stored in the password-database \
and the match fails and results in UNAUTHENTICATED.</span></p> <p \
class="ecxMsoNormal"><span style="font-size: 11pt; font-family: \
'Calibri','sans-serif'; color: rgb(31, 73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US">Josef</span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"></span></p>
<p class="ecxMsoNormal"><span style="font-size: 11pt;
font-family: 'Calibri','sans-serif'; color: rgb(31,
73, 125);" lang="EN-US"> </span></p>
<div>
<div style="border-width: 1pt medium medium;
border-style: solid none none; border-color: rgb(181,
196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0cm 0cm;">
<p class="ecxMsoNormal" style="margin-left: 35.4pt;"><b><span style="font-size: 10pt; \
font-family:
'Tahoma','sans-serif'; color: windowtext;" \
lang="DE">Von:</span></b><span style="font-size: 10pt; font-family: \
'Tahoma','sans-serif'; color: windowtext;" lang="DE">
Muller Pierre [<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext" \
href="mailto:pierre.muller@gfi.fr">mailto:pierre.muller@gfi.fr</a>] <br>
<b>Gesendet:</b> Montag, 27. Juni 2011 15:03<br>
<b>An:</b> <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated" \
href="mailto:java-user@axis.apache.org"> java-user@axis.apache.org</a><br>
<b>Betreff:</b> NTLM authentication failed (password with non-latin \
characters)</span></p> </div>
</div>
<p class="ecxMsoNormal" style="margin-left: 35.4pt;"> </p>
<p class="ecxMsoNormal" style="margin-left: 35.4pt;">Hello,<br>
<br>
I'm working on a web application consuming web services with Axis2. Client classes \
are generated from a WSDL file with the XMLBeans method.<br> The web services require \
NTLM authentication, which I set up in my application.<br> <br>
Everything's fine, the application works as expected (able to authenticate, able to \
use services). Except in one case : when the NTLM password contains accents, e.g. \
"myPasswordWithLetter_é". Does someone know about this, is this a filed bug \
for Axis2 (I couldn't find anythind on it so far) ? Are there any solutions to \
bypass it ?<br> <br>
Thanks<br>
Pierre<br>
<br>
<br>
<br>
<b>More detailed information :</b><br>
<b>1.</b> The services requested are Exchange Web Service ones. Again, it's working \
fine for passwords without accents.<br> <br>
<b>2.</b> My authentication code is :<br>
<tt><span style="font-size: 10pt;">URL endpoint = new URL(...);</span></tt><br>
<tt><span style="font-size: 10pt;">HttpTransportProperties.Authenticator \
authenticator = new HttpTransportProperties.Authenticator();</span></tt><span \
style="font-size: 10pt;"><br> \
<tt>authenticator.setAuthSchemes(Arrays.asList(HttpTransportProperties.Authenticator.NTLM));</tt><br>
<tt>authenticator.setUsername("user");</tt><br>
<tt>authenticator.setPassword("myPasswordWithLetter_é");</tt><br>
<tt>authenticator.setHost(endpoint.getHost());</tt><br>
<tt>authenticator.setPort(endpoint.getPort()!=-1? endpoint.getPort()</tt><br>
<tt> \
: endpoint.getProtocol().equalsIgnoreCase("https")? 443 \
: 80);</tt><br> <tt>authenticator.setDomain(conf.getAgendaHttpAuthDomain());</tt><br>
<tt>stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, \
authenticator);</tt></span><br> <br>
<b>3. </b>The password is showing healthy in Java, no encoding problem.<br>
<br>
<b>4.</b> TCPMonitor shows similar behaviours with or without accents in the password \
: 3 POST requests, only the last differing between the expected SOAP response \
or the "HTTP 401.1 Unauthorized" seen below : </p>
<table class="ecxMsoNormalTable" style="width: 181.18%;
margin-left: 35.4pt;" width="181%" border="1" cellpadding="0">
<tbody>
<tr>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal"><i>Application request</i></p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal"><i>Server response</i></p>
</td>
</tr>
<tr>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal"><tt><span style="font-size: 10pt;">POST /EWS/Exchange.asmx \
HTTP/1.1</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Type: text/xml; \
charset=UTF-8</tt><br> <tt>SOAPAction: <a moz-do-not-send="true" \
href="http://schemas.microsoft.com/exchange/services/2006/messages/FindItem" \
target="_blank"> "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"</a></tt><br>
<tt>User-Agent: Axis2</tt><br>
<tt>Host: vm-iodasxch:8989</tt><br>
<tt>Transfer-Encoding: chunked</tt><br>
<br>
<tt>322</tt><br>
<tt><?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope \
.</tt></span></p> </td>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal" style="margin-bottom:
12pt;"><tt><span style="font-size: 10pt;">HTTP/1.1 401 \
Unauthorized</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Length: \
1897</tt><br> <tt>Content-Type: text/html</tt><br>
<tt>Server: Microsoft-IIS/6.0</tt><br>
<tt>WWW-Authenticate: Negotiate</tt><br>
<tt>WWW-Authenticate: NTLM</tt><br>
<tt>X-Powered-By: ASP.NET</tt><br>
<tt>Date: Mon, 27 Jun 2011 10:05:06 GMT</tt></span></p>
</td>
</tr>
<tr>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal"><tt><span style="font-size: 10pt;">POST /EWS/Exchange.asmx \
HTTP/1.1</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Type: text/xml; \
charset=UTF-8</tt><br> <tt>SOAPAction: <a moz-do-not-send="true" \
href="http://schemas.microsoft.com/exchange/services/2006/messages/FindItem" \
target="_blank"> "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"</a></tt><br>
<tt>User-Agent: Axis2</tt><br>
<tt>Transfer-Encoding: chunked</tt><br>
<tt>Authorization: NTLM TlRMTVNTUAABAAAABlIAAAgACAApAAAACQAJACAAABMT0NBTE \
hPU1RJT0RBU1hDSA==</tt><br> <tt>Host: localhost:8989</tt><br>
<br>
<tt>322</tt><br>
<tt><?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope \
..</tt></span></p> </td>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal" style="margin-bottom:
12pt;"><tt><span style="font-size: 10pt;">HTTP/1.1 401 \
Unauthorized</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Length: \
1776</tt><br> <tt>Content-Type: text/html</tt><br>
<tt>Server: Microsoft-IIS/6.0</tt><br>
<tt>WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAGAoECgB4YkR3A1OQAAAAAAAA \
AAM4AzgBAAAAABQLODgAAAA9JT0RBU1hDSAIAEABJAE8ARABBAFMAWABDAEgAAQAWAFY \
ATQAtAEkATwBEAEEAUwBYAEMASAAEACgAaQBvAGQAYQBzAHgAYwBoAC4AZwBmAGkALgBw \
AHIAaQB2AGEAdABlAAMAQAB2AG0ALQBpAG8AZABhAHMAeABjAGgALgBpAG8AZABhAHMAeAB \
jAGgALgBnAGYAaQAuAHAAcgBpAHYAYQB0AGUABQAoAGkAbwBkAGEAcwB4AGMAaAAuAGcAZg \
BpAC4AcAByAGkAdgBhAHQAZQAAAAAA</tt><br> <tt>X-Powered-By: ASP.NET</tt><br>
<tt>Date: Mon, 27 Jun 2011 10:05:06 GMT</tt></span></p>
</td>
</tr>
<tr>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal"><tt><span style="font-size: 10pt;">POST /EWS/Exchange.asmx \
HTTP/1.1</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Type: text/xml; \
charset=UTF-8</tt><br> <tt>SOAPAction: <a moz-do-not-send="true" \
href="http://schemas.microsoft.com/exchange/services/2006/messages/FindItem" \
target="_blank"> "http://schemas.microsoft.com/exchange/services/2006/messages/FindItem"</a></tt><br>
<tt>User-Agent: Axis2</tt><br>
<tt>Transfer-Encoding: chunked</tt><br>
<tt>Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAAAAAAbgAAAAgACABAAAAA \
BQAFAEgAAAAJAAkATQAAAAAAAAuAAAABlIAAElPREFTWENIVEVTVDFMT0NBTEhPU \
1QbF84penGv2i5dPWJzY1FKXnOm/wIvn0I=</tt><br> <tt>Host: localhost:8989</tt><br>
<br>
<tt>322</tt><br>
<tt><?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope \
.</tt></span></p> </td>
<td style="padding: 1.5pt;" valign="top">
<p class="ecxMsoNormal" style="margin-bottom:
12pt;"><tt><span style="font-size: 10pt;">HTTP/1.1 401 \
Unauthorized</span></tt><span style="font-size: 10pt;"><br> <tt>Content-Length: \
1776</tt><br> <tt>Content-Type: text/html</tt><br>
<tt>Server: Microsoft-IIS/6.0</tt><br>
<tt>WWW-Authenticate: Negotiate</tt><br>
<tt>WWW-Authenticate: NTLM</tt><br>
<tt>X-Powered-By: ASP.NET</tt><br>
<tt>Date: Mon, 27 Jun 2011 10:05:06 GMT</tt></span></p>
</td>
</tr>
</tbody>
</table>
<p class="ecxMsoNormal" style="margin-left: 35.4pt;"><br>
<br>
</p>
<pre style="margin-left: 35.4pt;">-- </pre>
<pre style="margin-left: 35.4pt;">Cordialement,</pre>
<pre style="margin-left: 35.4pt;">Pierre Muller</pre>
<p class="ecxMsoNormal" style="margin-left: 35.4pt;"><br>
<span style="font-size: 7.5pt; font-family:
'Arial','sans-serif'; color: gray;">Ce message et toutes les pièces \
jointes (ci-après le « message ») sont confidentiels et établis à l'intention \
exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa \
destination, toute diffusion ou toute publication, totale ou partielle, est \
interdite, sauf autorisation expresse des parties. Si vous recevez ce message par \
erreur, merci de le détruire sans en conserver de copie et d'en avertir \
immédiatement l'expéditeur. Internet ne permettant pas de garantir l'intégrité de ce \
message, le groupe GFI Informatique décline toute responsabilité au titre de ce \
message s'il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré \
toutes les précautions prises pour éviter la présence de virus dans nos envois, nous \
vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la \
non-introduction de virus dans votre système informatique.<br> This email message and \
any attachments ("the email") are confidential and intended only for the \
recipient(s) indicated. If you are not an intended recipient, please be advised that \
any use, dissemination, forwarding or copying of this email whatsoever is prohibited \
without prior written consent. If you have received this email in error, please \
delete it without saving a copy and notify the sender immediately. Internet emails \
are not necessarily secured, and GFI Informatique Group declines responsibility for \
any changes that may have been made to this email after it was sent. While we take \
all reasonable precautions to ensure that viruses are not transmitted via emails, we \
recommend that you take your own measures to prevent viruses from entering your \
computer system.</span></p> </div>
</blockquote>
<br>
<font color="Gray" face="Arial" size="1">Ce message et toutes les pièces jointes \
(ci-après le « message ») sont confidentiels et établis à l'intention exclusive de \
ses destinataires. Toute utilisation de ce message non conforme à sa destination, \
toute diffusion ou toute publication, totale ou partielle, est interdite, sauf \
autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le \
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. \
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI \
Informatique décline toute responsabilité au titre de ce message s'il a été modifié, \
altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises \
pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, \
de votre côté, les mesures permettant d'assurer la non-introduction de virus dans \
votre système informatique.<br> This email message and any attachments ("the \
email") are confidential and intended only for the recipient(s) indicated. If \
you are not an intended recipient, please be advised that any use, dissemination, \
forwarding or copying of this email whatsoever is prohibited without prior written \
consent. If you have received this email in error, please delete it without saving a \
copy and notify the sender immediately. Internet emails are not necessarily secured, \
and GFI Informatique Group declines responsibility for any changes that may have \
been made to this email after it was sent. While we take all reasonable precautions \
to ensure that viruses are not transmitted via emails, we recommend that you take \
your own measures to prevent viruses from entering your computer system.<br> \
</font></div> </div>
</blockquote>
<br>
<font face="Arial" color="Gray" size="1">Ce message et toutes les pièces jointes \
(ci-après le « message ») sont confidentiels et établis à l'intention exclusive de \
ses destinataires. Toute utilisation de ce message non conforme à sa destination, \
toute diffusion ou toute publication, totale ou partielle, est interdite, sauf \
autorisation expresse des parties. Si vous recevez ce message par erreur, merci de le \
détruire sans en conserver de copie et d'en avertir immédiatement l'expéditeur. \
Internet ne permettant pas de garantir l'intégrité de ce message, le groupe GFI \
Informatique décline toute responsabilité au titre de ce message s'il a été modifié, \
altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises \
pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, \
de votre côté, les mesures permettant d'assurer la non-introduction de virus dans \
votre système informatique.<br> This email message and any attachments ("the \
email") are confidential and intended only for the recipient(s) indicated. If \
you are not an intended recipient, please be advised that any use, dissemination, \
forwarding or copying of this email whatsoever is prohibited without prior written \
consent. If you have received this email in error, please delete it without saving a \
copy and notify the sender immediately. Internet emails are not necessarily secured, \
and GFI Informatique Group declines responsibility for any changes that may have \
been made to this email after it was sent. While we take all reasonable precautions \
to ensure that viruses are not transmitted via emails, we recommend that you take \
your own measures to prevent viruses from entering your computer system.<br> </font>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic