#31 Proxy auth broken for servers supporting NTLM (fix incl)

open
nobody
None
9
2009-03-12
2009-03-12
Anton Keks
No

If a proxy server is requiring authentication (like many corporate ones) and specifies that it prefers NTLM to BASIC authentication scheme, then GCALDaemon fails to provide correct credentials.

The solution is to tell commons-httpclient (which is used by GCALDaemon) to prefer DIGEST or BASIC authentication, which doesn't require any special setup.

There are at least 3 classes in GCALDaemon that configure the authentication to the proxy server (maybe it makes sense to extract HttpClient creation to a single place, eg Configurator).

One of the places is GCalUtilities, which does that in the globalInit() method: it sets the properties using the UsernamePasswordCredentials:

Credentials credentials = new UsernamePasswordCredentials(username, password);
httpClient.getState().setProxyCredentials(AuthScope.ANY, credentials);

UsernamePasswordCredentials actually doesn't support NTLM, so it is correct to add the following line as well:

httpClient.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, Arrays.asList(new Object[]{AuthPolicy.DIGEST, AuthPolicy.BASIC}));

which tells HttpClient to prefer DIGEST and BASIC authentication.

This line fixes the problem for me and should be added upstream.

Discussion

  • Anton Keks
    Anton Keks
    2009-03-12

    • priority: 5 --> 9
     
  • Anton Keks
    Anton Keks
    2009-03-12

    • summary: Proxy authentication broken for servers supporting NTLM --> Proxy auth broken for servers supporting NTLM (fix incl)