Bug ID: JDK-6357133 java.net.Authenticator does not work as expected with Integrated Windows Authentication (Kerberos)

Type: Bug
Component: core-libs
Sub-Component: java.net
Affected Version: 6

Priority: P3
Status: Closed
Resolution: Fixed
OS: windows_xp
CPU: x86

Submitted: 2005-11-30
Updated: 2011-05-18
Resolved: 2011-05-18

JDK 7
7 b12Fixed

A small sample program was written to test how the Java Authenticator behaves when no credentials are provided for a given type of authentication.  The Authenticator fails to behave as expected expected when a user does not have any credentials to provide for Integrated Winodws Authentication.  The Authenticator continues to get called until a max redirect exception is thrown.  The output of the sample program and code that produced it is below.  Note:  If the IP address doesn't work contact ###@###.### for current address.

Digest Authentication Test
>> Authenticator Called
java.io.IOException: Server returned HTTP response code: 401 for URL: http://129.148.174.126/DigestSecurity/cicerone/Cicerone.jnlp
Exception: Response code 401 Unauthorized

Basic Authentication Test
>> Authenticator Called
java.io.IOException: Server returned HTTP response code: 401 for URL: http://129.148.174.90/BasicSecurity/file1.txt
Exception: Response code 401 Access Denied

Integrated Windows Authentication Test
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
>> Authenticator Called
java.net.ProtocolException: Server redirected too many  times (20)
Exception: Response code 401 Unauthorized/*





 * Main.java
 *
 * Created on June 2, 2005, 4:02 PM
 *
 * To change this template, choose Tools | Options and locate the template under
 * the Source Creation and Management node. Right-click the template and choose
 * Open. You can then make changes to the template in the Source Editor.
 */

package httptest;

import java.io.*;
import java.util.*;
import java.net.*;

/**
 *
 * @author aw158418
 */
public class Main   {
    
    static HttpURLConnection conn = null;
    
    /** Creates a new instance of Main */
    public Main() {
    }
    
    static class MyAuthenticator extends Authenticator {
        static int i = 0;
        
        MyAuthenticator() {
            super();
        }
        
        public PasswordAuthentication getPasswordAuthentication() {
            System.out.println(">> Authenticator Called");
            String str = "";
            
            // Authenticator returning null as though user hit cancel
            return null;
        }
    }
    
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        Authenticator.setDefault( new MyAuthenticator() );
        URL link = null;
        try {
            link = new URL("http://129.148.174.126/DigestSecurity/cicerone/Cicerone.jnlp");
            openFileFromServer( link );
            
            link = new URL("http://129.148.174.90/BasicSecurity/file1.txt");
            openFileFromServer( link );
            
            link = new URL("http://129.148.174.126/KerberosSecurity/clockApplet/clock.html");
            openFileFromServer( link );
        } catch( Exception e ) {
            e.printStackTrace();
        }
    }
    
    private static void openFileFromServer( URL url ) {
        try {
            conn = (HttpURLConnection)url.openConnection();
            
            DataInputStream dis = new DataInputStream(conn.getInputStream());
            
            String inputLine;
            
            // Read Content
            while( (inputLine = dis.readLine()) != null ) {
                System.out.println(inputLine);
            }
            
            dis.close();
            
        } catch (MalformedURLException me) {
            System.out.println("MalformedURLException: " + me);
        } catch (IOException ioe) {
            try { 
            System.out.println( ioe.toString() );
            System.out.print("Exception: Response code " + conn.getResponseCode());
            System.out.println(" " + conn.getResponseMessage());
            } catch( Exception e ){
                e.printStackTrace();
            }
        }
    }
}

EVALUATION This issue should be fixed as a side effect of 6520665. See the "suggested fix" section of 6520665.
29-03-2007
WORK AROUND The system property http.maxRedirects can be set to a smaller value to reduce the inconvenience caused by this issue.
15-12-2005
EVALUATION Currently, we don't provide a way for the user to break out of the authentication dialog, which is something we should address. If the user hits cancel and no credentials are provided, then we should throw an exception immediately. Will target this for dolphin. See workaround.
15-12-2005
EVALUATION Yes, when I try the test it identifies the Authentication type as NTLM when it goes into the loop. However I belive the Authentication server is configured to use Kerberos not NTLM.
07-12-2005
EVALUATION I see the same output on my Winows box. However, I changed the line in your getPasswordAuthentication to System.out.println(">> Authenticator Called for " + getRequestingScheme()); and observed that the problematic scheme is NTLM. For IIS, Integrated Windows Authentication means SPNEGO plus Kerberos plus NTLM. It seems (on my machine) that Negotiate fails and fallback to NTLM and then the infinite loop. The problem should lie in the native implementation of NTLM authentication. Ashley, can you try to confirm this on your computer?
05-12-2005

Relates :	JDK-6520665 - NTLM Authentication not requested, throws null exception
Relates :	JDK-6318281 - Selecting Cancel from the Authentication Dailog in Web Start & Plug In does not work as expected