Using HttpComponentsMessageSender with NTLM Authentication [SWS-964]

[gregturn]

Sebastian Geiger opened SWS-964 and commented

I am trying to configure the HttpComponentsMessageSender for use with the WebServiceGatewaySupport implementation. My webservices use NTLM for authentication, so I need to configure that in the HttpClient which is being used by the message sender. This should be platform independent so I cannot just rely on the native windows fallback that the httpcommons library seems to include because that won't work under linux.

The Spring WS documentation seems to have no mention of either NTLM or configuring the HttpClient which is being used by the message sender. I understand that most of the API is actually from httpcomponents rather then Spring specific, but once a custom HttpClient is used certain methods on the HttpComponentsMessageSender cannot be used anymore. For example the setConnectionTimeout method. At least in this respect it would be nice if that was documented.

When I started to write this issue I was struggling to come up with a valid implementation to configure the HttpClient, but in the mean time I have figured it out. I still though I would post this issue, maybe the code can be useful to anyone how has the same problem or for improving the documentation.

This is what I came up with in the end:

    HttpComponentsMessageSender messageSender = new HttpComponentsMessageSender ();

    AuthScope authscope;
    NTCredentials credentials;
    CredentialsProvider credentialsProvider;
    Registry<AuthSchemeProvider> registry;
    RequestConfig requestConfig;

    authscope = new AuthScope (HOST_IP, HOST_PORT);

    credentials = new NTCredentials ("user", "pass", null, "domain");

    credentialsProvider = new BasicCredentialsProvider ();

    credentialsProvider.setCredentials (authscope, credentials);

    registry = RegistryBuilder.<AuthSchemeProvider>create ()
            .register(AuthSchemes.NTLM, new NTLMSchemeFactory ())
            .build ();

    HttpRequestInterceptor interceptor
            = (request, context) -> request.removeHeaders(HTTP.CONTENT_LEN);

    requestConfig = RequestConfig.custom ()
                                 .setConnectTimeout (3000)
                                 .build ();

    HttpClient httpClient =  HttpClientBuilder.create ()
                                              .setDefaultRequestConfig (requestConfig)
                                              .setDefaultAuthSchemeRegistry (registry)
                                              .setDefaultCredentialsProvider (credentialsProvider)
                                              .addInterceptorFirst (interceptor)
                                              .build ();

    messageSender.setHttpClient (httpClient);

Points to pay attention to:

1. The HttpRequestInterceptor is required or there will be a dubious error about a duplicate Content-Lenght header.
2. Things like timeouts must be set in the RequestConfig and injected into the HttpClientBuilder, setting them directly on the HttpComponentsMessageSender causes an UnsupportedMethodException.
3. It seems to be always necessary to pass the domain name to the NTCredentials class, before I was using the java.net native method and it was enough to just pass username and password to the Authenticator interface.

---

No further details from SWS-964

[atkawa7]

@gregturn This issue still persists in the latest spring version.

Edit.

Calling these two methods setConnectionTimeout and setReadTimeout in HttpComponentsMessageSender causes an unsupported operation exception. The reason is the methods in turn call a getHttpClient().getParams(). This throws when org.apache.http.impl.client.InternalHttpClient is used for the httpclient.

https://github.com/apache/httpcomponents-client/blob/88a30eb77bf801c9f633a798457021dc9e59d187/httpclient/src/main/java/org/apache/http/impl/client/InternalHttpClient.java#L210-L212

 @Override
    public HttpParams getParams() {
        throw new UnsupportedOperationException();
    }

public void setConnectionTimeout(int timeout) {
		if (timeout < 0) {
			throw new IllegalArgumentException("timeout must be a non-negative value");
		}
		org.apache.http.params.HttpConnectionParams.setConnectionTimeout(getHttpClient().getParams(), timeout);
	}

	/**
	 * Set the socket read timeout for the underlying HttpClient. A value of 0 means <em>never</em> timeout.
	 *
	 * @param timeout the timeout value in milliseconds
	 * @see org.apache.http.params.HttpConnectionParams#setSoTimeout(org.apache.http.params.HttpParams, int)
	 */
	public void setReadTimeout(int timeout) {
		if (timeout < 0) {
			throw new IllegalArgumentException("timeout must be a non-negative value");
		}
		org.apache.http.params.HttpConnectionParams.setSoTimeout(getHttpClient().getParams(), timeout);
	}

[snicoll]

Yes I can see how that's painful and it would be nice if we could offer the flexibility of using those high-level methods while being able to customize the HttpClient in a more advanced way. I think that if you provide the client then we can't do much as it invalidates what the factory would do. I wonder if separating those completely wouldn't be a better fit.

[snicoll]

With what I am about to push, I believe the above can now be implemented as follows:

HttpComponents5ClientFactory factory = HttpComponents5ClientFactory.withDefaults();
factory.setConnectionTimeout(Duration.ofMillis(3000));
factory.addClientBuilderCustomizer(builder -> {
	BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
	credentialsProvider.setCredentials(new AuthScope(HOST_IP, HOST_PORT),
			new NTCredentials("user", "pass".toCharArray(), null, "domain"));
	builder.setDefaultCredentialsProvider(credentialsProvider);
	builder.setDefaultAuthSchemeRegistry(RegistryBuilder.<AuthSchemeFactory>create()
			.register(AuthSchemes.NTLM, new NTLMSchemeFactory())
			.build());
});
SimpleHttpComponents5MessageSender messageSender = new SimpleHttpComponents5MessageSender(factory);

Important bit is:

• HttpComponents5ClientFactory.withDefaults(); creates a factory that applies the RemoveSoapHeadersInterceptor which handles your first point. This was actually done automatically only when configuring the client via HttpComponents5MessageSender.
• addClientBuilderCustomizer allows you to add an arbitrary number of customizers. This can be used to invoke advanced methods of the builder
• Because we're using the factory, you can call regular methods such as setConnectionTimeout
• I don't know about 3, that looks like a question that's not related to Spring WS itself.
• Once the factory is configured you can pass that to SimpleHttpComponents5MessageSender and it'll build and use the HttpClient that the factory creates as a result.