JDK-6357133 : java.net.Authenticator does not work as expected with Integrated Windows Authentication (Kerberos)
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2005-11-30
  • Updated: 2011-05-18
  • Resolved: 2011-05-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b12Fixed
Related Reports
Relates :  
Relates :  
Description
A small sample program was written to test how the Java Authenticator behaves when no credentials are provided for a given type of authentication.  The Authenticator fails to behave as expected expected when a user does not have any credentials to provide for Integrated Winodws Authentication.  The Authenticator continues to get called until a max redirect exception is thrown.  The output of the sample program and code that produced it is below.  Note:  If the IP address doesn't work contact ###@###.### for current address.

Digest Authentication Test
>> Authenticator Called
java.io.IOException: Server returned HTTP response code: 401 for URL: http://129.148.174.126/DigestSecurity/cicerone/Cicerone.jnlp
Exception: Response code 401 Unauthorized

Basic Authentication Test
>> Authenticator Called
java.io.IOException: Server returned HTTP response code: 401 for URL: http://129.148.174.90/BasicSecurity/file1.txt
Exception: Response code 401 Access Denied

Integrated Windows Authentication Test
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
java.net.ProtocolException: Server redirected too many  times (20)
Exception: Response code 401 Unauthorized/*





 * Main.java
 *
 * Created on June 2, 2005, 4:02 PM
 *
 * To change this template, choose Tools | Options and locate the template under
 * the Source Creation and Management node. Right-click the template and choose
 * Open. You can then make changes to the template in the Source Editor.
 */

package httptest;

import java.io.*;
import java.util.*;
import java.net.*;

/**
 *
 * @author aw158418
 */
public class Main   {
    
    static HttpURLConnection conn = null;
    
    /** Creates a new instance of Main */
    public Main() {
    }
    
    static class MyAuthenticator extends Authenticator {
        static int i = 0;
        
        MyAuthenticator() {
            super();
        }
        
        public PasswordAuthentication getPasswordAuthentication() {
            System.out.println(">> Authenticator Called");
            String str = "";
            
            // Authenticator returning null as though user hit cancel
            return null;
        }
    }
    
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        Authenticator.setDefault( new MyAuthenticator() );
        URL link = null;
        try {
            link = new URL("http://129.148.174.126/DigestSecurity/cicerone/Cicerone.jnlp");
            openFileFromServer( link );
            
            link = new URL("http://129.148.174.90/BasicSecurity/file1.txt");
            openFileFromServer( link );
            
            link = new URL("http://129.148.174.126/KerberosSecurity/clockApplet/clock.html");
            openFileFromServer( link );
        } catch( Exception e ) {
            e.printStackTrace();
        }
    }
    
    private static void openFileFromServer( URL url ) {
        try {
            conn = (HttpURLConnection)url.openConnection();
            
            DataInputStream dis = new DataInputStream(conn.getInputStream());
            
            String inputLine;
            
            // Read Content
            while( (inputLine = dis.readLine()) != null ) {
                System.out.println(inputLine);
            }
            
            dis.close();
            
        } catch (MalformedURLException me) {
            System.out.println("MalformedURLException: " + me);
        } catch (IOException ioe) {
            try { 
            System.out.println( ioe.toString() );
            System.out.print("Exception: Response code " + conn.getResponseCode());
            System.out.println(" " + conn.getResponseMessage());
            } catch( Exception e ){
                e.printStackTrace();
            }
        }
    }
}

Comments
EVALUATION This issue should be fixed as a side effect of 6520665. See the "suggested fix" section of 6520665.
29-03-2007

WORK AROUND The system property http.maxRedirects can be set to a smaller value to reduce the inconvenience caused by this issue.
15-12-2005

EVALUATION Currently, we don't provide a way for the user to break out of the authentication dialog, which is something we should address. If the user hits cancel and no credentials are provided, then we should throw an exception immediately. Will target this for dolphin. See workaround.
15-12-2005

EVALUATION Yes, when I try the test it identifies the Authentication type as NTLM when it goes into the loop. However I belive the Authentication server is configured to use Kerberos not NTLM.
07-12-2005

EVALUATION I see the same output on my Winows box. However, I changed the line in your getPasswordAuthentication to System.out.println(">> Authenticator Called for " + getRequestingScheme()); and observed that the problematic scheme is NTLM. For IIS, Integrated Windows Authentication means SPNEGO *plus* Kerberos *plus* NTLM. It seems (on my machine) that Negotiate fails and fallback to NTLM and then the infinite loop. The problem should lie in the native implementation of NTLM authentication. Ashley, can you try to confirm this on your computer?
05-12-2005