Bug 64534 - Java implementation is using my Windows credentials instead of Authorization Manager for NTLM.
Summary: Java implementation is using my Windows credentials instead of Authorization ...
Status: NEW
Alias: None
Product: JMeter
Classification: Unclassified
Component: HTTP (show other bugs)
Version: 5.3
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-18 15:40 UTC by Belén
Modified: 2020-10-22 11:21 UTC (History)
1 user (show)



Attachments
Example using java implementation and authorization manager (3.94 KB, application/xml)
2020-06-18 15:40 UTC, Belén
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Belén 2020-06-18 15:40:40 UTC
Created attachment 37316 [details]
Example using java implementation and authorization manager

When using Java implementation of the HttpSampler in a request against a server that uses NTLM authentication, it automatically tries to log-in using my Windows credentials. This happens even if I add a HTTP Authorization Manager with different credentials. According to the documentation, it should be using the credentials defined in Authorization Manager.
Comment 1 Felix Schumacher 2020-06-19 15:54:34 UTC
The documentation at https://jmeter.apache.org/usermanual/component_reference.html#HTTP_Authorization_Manager states, that the Java HTTP client supports BASIC authentication, only.

If you want to use NTLM, you should switch to HttpClient.
Comment 2 Belén 2020-06-19 18:35:29 UTC
(In reply to Felix Schumacher from comment #1)
> The documentation at
> https://jmeter.apache.org/usermanual/component_reference.
> html#HTTP_Authorization_Manager states, that the Java HTTP client supports
> BASIC authentication, only.

The documentation states that Java HTTP clients supports BASIC mechanism only, not BASIC authentication only. I am using BASIC mechanism so this should work with Java implementation.
Comment 3 Felix Schumacher 2020-06-20 07:54:29 UTC
(In reply to Belén from comment #2)
> (In reply to Felix Schumacher from comment #1)
> > The documentation at
> > https://jmeter.apache.org/usermanual/component_reference.
> > html#HTTP_Authorization_Manager states, that the Java HTTP client supports
> > BASIC authentication, only.
> 
> The documentation states that Java HTTP clients supports BASIC mechanism
> only, not BASIC authentication only. I am using BASIC mechanism so this
> should work with Java implementation.

You have stated in the title and in the description, that you are using NTLM.

The wording mechanism and authentication might be misleading in the documentation. If you want to enhance the documentation, patches are always welcome.

If you think, that the authentication dialog, that a browser shows (when no NTLM credential is found), is a BASIC authentication, than be aware, that the browser converts your credentials to NTLM creds and sends those to the server. That mechanism is not available in JMeter with the Java client.

Please have a look at the WWW-Authenticate header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate) in the first 401 response. If only NTLM or Negotiation is mentioned, than the Java client can't be used.

Is there any reason, why you are not using the HttpClient?
Comment 4 Belén 2020-06-22 19:13:05 UTC
(In reply to Felix Schumacher from comment #3)

>You have stated in the title and in the description, that you are using NTLM.
Yes, I am using NTLM authentication, but the method selected in the HTTP Authorization Manager is BASIC. This works with the HttpClient so, as BASIC method is also supposed to work with Java, I assumed NTLM authentication (using this method) should also work.

> Is there any reason, why you are not using the HttpClient?
No, I am just researching authentication methods with JMeter.

> The wording mechanism and authentication might be misleading in the
> documentation.
I agree that the documentation is misleading and should be fixed.
Comment 5 Felix Schumacher 2020-06-24 14:15:37 UTC
Ok, so as I see it, there are a few problems pointed out by this report:

 a) The java client for HTTP Sampler uses - under windows - the NTLM Credentials of the user that runs JMeter if NTLM authentication is requested by the tested server
 b) The HttpClient implementation allows to answer NTLM requests when BASIC mechanism is selected
 c) The documentation refers to mechanism and it is unclear how it relates to authentication

For a) I tend to leave it that way, as I believe the old Java client is used not that much and it probably behaves badly under Windows, only

For b) should probably be mentioned in the docs, as changing it might break existing test plans

For c) enhancements in form of patches or text fragments to docs are always welcome :)
Comment 6 Belén 2020-06-25 16:32:15 UTC
(In reply to Felix Schumacher from comment #5)
> Ok, so as I see it, there are a few problems pointed out by this report:
> 
>  a) The java client for HTTP Sampler uses - under windows - the NTLM
> Credentials of the user that runs JMeter if NTLM authentication is requested
> by the tested server
>  b) The HttpClient implementation allows to answer NTLM requests when BASIC
> mechanism is selected
>  c) The documentation refers to mechanism and it is unclear how it relates
> to authentication
> 
> For a) I tend to leave it that way, as I believe the old Java client is used
> not that much and it probably behaves badly under Windows, only
> 
> For b) should probably be mentioned in the docs, as changing it might break
> existing test plans
> 
> For c) enhancements in form of patches or text fragments to docs are always
> welcome :)

I agree with a) and c). 
About b) I would like to add that NTLM with HttpClient4 works also with BASIC_DIGEST and DIGEST mechanism (I'm not sure if these are intended as there is no NTLM mechanism to select and is not specified which mechanism should be used).
Also BASIC and BASIC_DIGEST have a different behavior than DIGEST. The former send the NTLM credentials in every request, while the latter sends the credentials only in the first request.
Comment 7 Michael Osipov 2020-10-22 11:21:44 UTC
HttpURLConnection uses a native component to access SSPI for NTLM. The only thing you could do is to ask the security-dev team to add a system property to disable this at start time.