NTLM preemptive auth should only happen when sending the first request on a new connection, close AsyncHttpClient#726

Author: Stephane Landelle

src/main/java/com/ning/http/client/providers/netty/request/NettyRequestFactory.java

@@ -92,20 +92,11 @@ private String hostHeader(Request request, Uri uri) {
         return request.getVirtualHost() != null || uri.getPort() == -1 ? host : host + ":" + uri.getPort();
     }
 
-    private String authorizationHeader(Request request, Uri uri, ProxyServer proxyServer, Realm realm) throws IOException {
-
+    public String firstRequestOnlyAuthorizationHeader(Request request, Uri uri, ProxyServer proxyServer, Realm realm) throws IOException {
         String authorizationHeader = null;
 
         if (realm != null && realm.getUsePreemptiveAuth()) {
-
             switch (realm.getAuthScheme()) {
-            case BASIC:
-                authorizationHeader = computeBasicAuthentication(realm);
-                break;
-            case DIGEST:
-                if (isNonEmpty(realm.getNonce()))
-                    authorizationHeader = computeDigestAuthentication(realm);
-                break;
             case NTLM:
                 String domain;
                 if (proxyServer != null && proxyServer.getNtlmDomain() != null) {
@@ -122,7 +113,6 @@ private String authorizationHeader(Request request, Uri uri, ProxyServer proxySe
                 break;
             case KERBEROS:
             case SPNEGO:
-
                 String host;
                 if (proxyServer != null)
                     host = proxyServer.getHost();
@@ -137,6 +127,32 @@ else if (request.getVirtualHost() != null)
                     throw new IOException(e);
                 }
                 break;
+            default:
+                break;
+            }
+        }
+        
+        return authorizationHeader;
+    }
+    
+    private String systematicAuthorizationHeader(Request request, Uri uri, ProxyServer proxyServer, Realm realm) {
+
+        String authorizationHeader = null;
+
+        if (realm != null && realm.getUsePreemptiveAuth()) {
+
+            switch (realm.getAuthScheme()) {
+            case BASIC:
+                authorizationHeader = computeBasicAuthentication(realm);
+                break;
+            case DIGEST:
+                if (isNonEmpty(realm.getNonce()))
+                    authorizationHeader = computeDigestAuthentication(realm);
+                break;
+            case NTLM:
+            case KERBEROS:
+            case SPNEGO:
+                // NTLM, KERBEROS and SPNEGO are only set on the first request, see firstRequestOnlyAuthorizationHeader
             case NONE:
                 break;
             default:
@@ -147,8 +163,7 @@ else if (request.getVirtualHost() != null)
         return authorizationHeader;
     }
 
-    private String proxyAuthorizationHeader(Request request, ProxyServer proxyServer, HttpMethod method) throws IOException {
-
+    public String firstRequestOnlyProxyAuthorizationHeader(Request request, ProxyServer proxyServer, HttpMethod method) throws IOException {
         String proxyAuthorization = null;
 
         if (method == HttpMethod.CONNECT) {
@@ -157,26 +172,31 @@ private String proxyAuthorizationHeader(Request request, ProxyServer proxyServer
                 proxyAuthorization = auth.get(0);
             }
 
-        } else if (proxyServer != null && proxyServer.getPrincipal() != null) {
-            if (isNonEmpty(proxyServer.getNtlmDomain())) {
-                List<String> auth = request.getHeaders().get(HttpHeaders.Names.PROXY_AUTHORIZATION);
-                if (!isNTLM(auth)) {
-                    try {
-                        String msg = NTLMEngine.INSTANCE.generateType1Msg(proxyServer.getNtlmDomain(), proxyServer.getHost());
-                        proxyAuthorization = "NTLM " + msg;
-                    } catch (NTLMEngineException e) {
-                        IOException ie = new IOException();
-                        ie.initCause(e);
-                        throw ie;
-                    }
+        } else if (proxyServer != null && proxyServer.getPrincipal() != null && isNonEmpty(proxyServer.getNtlmDomain())) {
+            List<String> auth = request.getHeaders().get(HttpHeaders.Names.PROXY_AUTHORIZATION);
+            if (!isNTLM(auth)) {
+                try {
+                    String msg = NTLMEngine.INSTANCE.generateType1Msg(proxyServer.getNtlmDomain(), proxyServer.getHost());
+                    proxyAuthorization = "NTLM " + msg;
+                } catch (NTLMEngineException e) {
+                    throw new IOException(e);
                 }
-            } else {
-                proxyAuthorization = computeBasicAuthentication(proxyServer);
             }
         }
 
         return proxyAuthorization;
     }
+    
+    private String systematicProxyAuthorizationHeader(Request request, ProxyServer proxyServer, HttpMethod method) {
+
+        String proxyAuthorization = null;
+
+        if (method != HttpMethod.CONNECT && proxyServer != null && proxyServer.getPrincipal() != null && !isNonEmpty(proxyServer.getNtlmDomain())) {
+            proxyAuthorization = computeBasicAuthentication(proxyServer);
+        }
+
+        return proxyAuthorization;
+    }
 
     private byte[] computeBodyFromParams(List<Param> params, Charset bodyCharset) {
 
@@ -235,6 +255,17 @@ else if (request.getBodyGenerator() != null)
         return nettyBody;
     }
 
+    public void addAuthorizationHeader(HttpHeaders headers, String authorizationHeader) {
+        if (authorizationHeader != null)
+            // don't override authorization but append
+            headers.add(HttpHeaders.Names.AUTHORIZATION, authorizationHeader);
+    }
+    
+    public void setProxyAuthorizationHeader(HttpHeaders headers, String proxyAuthorizationHeader) {
+        if (proxyAuthorizationHeader != null)
+            headers.set(HttpHeaders.Names.PROXY_AUTHORIZATION, proxyAuthorizationHeader);
+    }
+    
     public NettyRequest newNettyRequest(Request request, Uri uri, boolean forceConnect, ProxyServer proxyServer)
             throws IOException {
 
@@ -301,14 +332,11 @@ public NettyRequest newNettyRequest(Request request, Uri uri, boolean forceConne
             headers.set(HttpHeaders.Names.HOST, hostHeader(request, uri));
 
         Realm realm = request.getRealm() != null ? request.getRealm() : config.getRealm();
-        String authorizationHeader = authorizationHeader(request, uri, proxyServer, realm);
-        if (authorizationHeader != null)
-            // don't override authorization but append
-            headers.add(HttpHeaders.Names.AUTHORIZATION, authorizationHeader);
 
-        String proxyAuthorizationHeader = proxyAuthorizationHeader(request, proxyServer, method);
-        if (proxyAuthorizationHeader != null)
-            headers.set(HttpHeaders.Names.PROXY_AUTHORIZATION, proxyAuthorizationHeader);
+        // don't override authorization but append
+        addAuthorizationHeader(headers, systematicAuthorizationHeader(request, uri, proxyServer, realm));
+
+        setProxyAuthorizationHeader(headers, systematicProxyAuthorizationHeader(request, proxyServer, method));
 
         // Add default accept headers
         if (!headers.contains(HttpHeaders.Names.ACCEPT))

src/main/java/com/ning/http/client/providers/netty/request/NettyRequestSender.java

@@ -39,6 +39,7 @@
 import com.ning.http.client.FluentCaseInsensitiveStringsMap;
 import com.ning.http.client.ListenableFuture;
 import com.ning.http.client.ProxyServer;
+import com.ning.http.client.Realm;
 import com.ning.http.client.Request;
 import com.ning.http.client.filter.FilterContext;
 import com.ning.http.client.filter.FilterException;
@@ -243,6 +244,13 @@ private <T> ListenableFuture<T> sendRequestWithNewChannel(//
 
         boolean useSSl = isSecure(uri) && !useProxy;
 
+        // some headers are only set when performing the first request
+        HttpHeaders headers = future.getNettyRequest().getHttpRequest().headers();
+        Realm realm = request.getRealm() != null ? request.getRealm() : config.getRealm();
+        HttpMethod method = future.getNettyRequest().getHttpRequest().getMethod();
+        requestFactory.addAuthorizationHeader(headers, requestFactory.firstRequestOnlyAuthorizationHeader(request, uri, proxy, realm));
+        requestFactory.setProxyAuthorizationHeader(headers, requestFactory.firstRequestOnlyProxyAuthorizationHeader(request, proxy, method));
+        
         // Do not throw an exception when we need an extra connection for a
         // redirect
         // FIXME why? This violate the max connection per host handling, right?