Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Calling a .NET Webservice using Kerberos Authentication

843810Oct 19 2009 — edited Oct 21 2009
Hi,
I am developing a java client side application to consume a .NET webservice method using Kerberos V5 integrated security. I have successfully called the .NET webservice method using NTLM protocol, however a 'double hop' is required so as to access a database server in conjunction with the web server, therefore Kerberos is the authentication mechanism of choice.

I attempting a proof of concept exercise with code I have taken from the web, where I am requesting an html file from the IIS web server using my Java client.
The code is located here: http://www.nabble.com/file/p23848153/KerberosHttpClient.zip and an extract of the code that I have changed for my test is appended below.

The code seems to be successfully requesting a Kerberos service ticket and including the ticket in the HTTP header, however IIS returns with a HTTP 100 error, bad request. I cannot see what is wrong with this header. If I make the same page request using Internet Explorer, the only difference seems to be the size of the Negotiate information, which is significantly larger with the Internet Explorer request.

I will post the Internet Explorer HTTP header request and the Java client HTTP header request in my next response, as I have run out of available space on this question post.




Client Code_+

+
public class KerberosHttpClient {+
+	private static final Log LOG = LogFactory.getLog(KerberosHttpClient.class);+
+	private static String kerbHttpHost = "http://CCLA-VS-AP01/AuroraWS/downloadMe.html";+

+	public static void main(String[] args) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {+
+		BasicConfigurator.configure();+
+		System.setProperty("java.security.auth.login.config", "login.conf");+
+		System.setProperty("java.security.krb5.conf", "krb5.conf");+
+		Sy
+*         Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.*+

+*		 On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:*+

+*		     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*+
+*		     Value Name: allowtgtsessionkey*+
+*		     Value Type: REG_DWORD*+
+*		     Value: 0x01*+

+*		 Here is the location of the registry setting on Windows XP SP2:*+

+*             HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\*+
+*             Value Name: allowtgtsessionkey*+
+*             Value Type: REG_DWORD*+
+*             Value: 0x01*+
+/+

+		DefaultHttpClient httpclient = new DefaultHttpClient();+

+		AuthSchemeRegistry authSchemeRegistry = httpclient.getAuthSchemes();+
+		authSchemeRegistry.unregister("basic");+
+		authSchemeRegistry.unregister("digest");+
+		authSchemeRegistry.unregister("NTLM");+
+		authSchemeRegistry.register("Negotiate", new NegotiateSchemeFactory());+
+				//authSchemeRegistry.register("NTLM", new NTLMSchemeFactory());+
+		//		authSchemeRegistry.register("Basic", new BasicSchemeFactory());+
+		httpclient.setAuthSchemes(authSchemeRegistry);+

+		Credentials use_jaas_creds = new Credentials() {+
+			@Override+
+			public String getPassword() {+
+				return null;+
+			}+
+			@Override+
+			public Principal getUserPrincipal() {+
+				return null;+
+			}+
+		};+

+		httpclient.getCredentialsProvider().setCredentials(+
+				new AuthScope(null, -1, null),+
+				use_jaas_creds);+

+		HttpUriRequest request = new HttpGet(kerbHttpHost);+
+		HttpResponse response = null;+
+		HttpEntity entity = null;+

+		/ *note the we use the 2 parameter execute call.* /+
+		try{+
+			response = httpclient.execute(request, createHttpContext(httpclient));+
+			entity = response.getEntity();+
+		} catch ( Exception ex){+
+			LOG.debug(ex.getMessage(), ex);+
+		}+

+		System.out.println("----------------------------------------");+
+		if (entity != null) {+
+			System.out.println("Response content length: "+  entity.getContentLength());
			entity.writeTo(System.out);
		}
		if (entity != null) {
			entity.consumeContent();
		}
	}

	/
 *createHttpContext - This is a copy of DefaultHttpClient method*
 createHttpContext with "negotiate" added to AUTH_SCHEME_PREF to allow for
 *Kerberos authentication. Could also extend DefaultHttpClient overriding the*
 default createHttpContext.

 @param httpclient - our Httpclient
 *@return HttpContext*
/
	static HttpContext createHttpContext(DefaultHttpClient httpclient){
		HttpContext context = new BasicHttpContext();
		context.setAttribute(
				ClientContext.AUTHSCHEME_REGISTRY,
				httpclient.getAuthSchemes());
		context.setAttribute(
				ClientContext.AUTH_SCHEME_PREF,
				Collections.unmodifiableList( Arrays.asList(new String[] {
						"negotiate",
						"ntlm",
						"digest",
						"basic"
				}))
		);
		context.setAttribute(
				ClientContext.COOKIESPEC_REGISTRY,
				httpclient.getCookieSpecs());
		context.setAttribute(
				ClientContext.COOKIE_STORE,
				httpclient.getCookieStore());
		context.setAttribute(
				ClientContext.CREDS_PROVIDER,
				httpclient.getCredentialsProvider());
		return context;
	}
}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 18 2009
Added on Oct 19 2009
#kerberos-java-gss-jgss
2 comments
2,868 views