Scenario: Want to access protected resource in remote machine. There are several ways to do this.
1. If credential of the current logged-on user can be used to access the remote protected resource, then there is no need to add user/password info explicitly: Java URLConnection can automatically do this for me.
Apache HttpClient is a great tool to execute http requests, and add authentication, but it doesn't support to automatically authentication using current logged-on user credential. So sometimes, we have to use Java UrlConnection instead of Apache http client libaray.
Please refer to: http://httpcomponents.10934.n7.nabble.com/Authenticate-Proxy-using-currently-logged-on-domain-user-s-credentials-td11338.html
2. Use Authenticator.setDefault
Authenticator.setDefault(new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication (username, password.toCharArray());
}
});
This sets default Authenticator which is called whenever authentication is required for any URLConnection.
This works for both basic form authentication.
If you want to use a domain user/passwword to do login(NTLM widows integrated authentication), just use:
return new PasswordAuthentication(domain + "\\" + userName, password.toCharArray());
The problem in java is that Authenticator.setDefault() setups an authenticator for all HttpURLConnection, there is no such a method setAuthenticator on URLConnection.
3. Sending Basic authentication using URLConnection
http://blogs.deepal.org/2008/01/sending-basic-authentication-using-url.html
String authorizationString = “Basic “ + Base64.encode(username:password);
urlConnection.setRequestProperty ("Authorization", authorizationString)
Http Negotiate (SPNEGO) Example
SPNEGO is used to negotiate one of a number of possible real mechanisms. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
Security in Server Side
Http Debug
1 Use Fiddler to log traffic between client and sever.
http://blog.alner.net/archive/2008/10/06/fiddler-ndash-put-a-breakpoint-in-your-network-traffichellip.aspx
http://blog.alner.net/archive/2008/10/03/use-fiddler-to-view-traffic-when-running-locallyhellip.aspx
2 Change Java Class Log level
For this, we want to change the log level of
-Djava.util.logging.config.file=logging.properties
In logging.properties
handlers=java.util.logging.ConsoleHandler
.level=ALL
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
sun.net.www.protocol.http.HttpURLConnection.level = ALL
java.net.URLConnection.level = ALL
Main Classes
sun.net.www.protocol.http.HttpURLConnection.getInputStream()
sun.net.www.protocol.http.AuthenticationHeader.parse()
java.net.Authenticator.requestPasswordAuthentication
sun.net.www.protocol.http.spnego.NegotiateCallbackHandler.handle(Callback[])
Other Resources
Authentication scheme
Basic, Digest, NTLM, Http Negotiate (SPNEGO)
Scheme Preference
GSS/SPNEGO -> Digest -> NTLM -> Basic
