NTLM WWW-Authenticate header is not always the first one, close AsyncHttpClient#736

Author: Stephane Landelle

providers/netty/src/main/java/org/asynchttpclient/providers/netty/handler/HttpProtocol.java

@@ -17,7 +17,7 @@
 import static io.netty.handler.codec.http.HttpResponseStatus.OK;
 import static io.netty.handler.codec.http.HttpResponseStatus.PROXY_AUTHENTICATION_REQUIRED;
 import static io.netty.handler.codec.http.HttpResponseStatus.UNAUTHORIZED;
-import static org.asynchttpclient.providers.netty.util.HttpUtils.isNTLM;
+import static org.asynchttpclient.providers.netty.util.HttpUtils.getNTLM;
 import static org.asynchttpclient.util.AsyncHttpProviderUtils.getDefaultPort;
 import io.netty.buffer.ByteBuf;
 import io.netty.channel.Channel;
@@ -81,8 +81,9 @@ private Realm kerberosChallenge(Channel channel, List<String> proxyAuth, Request
                     .build();
 
         } catch (Throwable throwable) {
-            if (isNTLM(proxyAuth)) {
-                return ntlmChallenge(proxyAuth.get(0), request, proxyServer, headers, realm, future, proxyInd);
+            String ntlmAuthenticate = getNTLM(proxyAuth);
+            if (ntlmAuthenticate != null) {
+                return ntlmChallenge(ntlmAuthenticate, request, proxyServer, headers, realm, future, proxyInd);
             }
             requestSender.abort(channel, future, throwable);
             return null;
@@ -204,9 +205,10 @@ private boolean exitAfterHandling401(//
                 future.setState(NettyResponseFuture.STATE.NEW);
                 Realm newRealm = null;
                 boolean negociate = wwwAuthHeaders.contains("Negotiate");
-                if (!wwwAuthHeaders.contains("Kerberos") && (isNTLM(wwwAuthHeaders) || negociate)) {
+                String ntlmAuthenticate = getNTLM(wwwAuthHeaders);
+                if (!wwwAuthHeaders.contains("Kerberos") && ntlmAuthenticate != null) {
                     // NTLM
-                    newRealm = ntlmChallenge(wwwAuthHeaders.get(0), request, proxyServer, request.getHeaders(), realm, future, false);
+                    newRealm = ntlmChallenge(ntlmAuthenticate, request, proxyServer, request.getHeaders(), realm, future, false);
 
                     // don't forget to reuse channel: NTLM authenticates a connection
                     future.setReuseChannel(true);
@@ -290,8 +292,9 @@ private boolean exitAfterHandling407(//
                 FluentCaseInsensitiveStringsMap requestHeaders = request.getHeaders();
 
                 boolean negociate = proxyAuthHeaders.contains("Negotiate");
-                if (!proxyAuthHeaders.contains("Kerberos") && (isNTLM(proxyAuthHeaders) || negociate)) {
-                    newRealm = ntlmProxyChallenge(proxyAuthHeaders.get(0), request, proxyServer, requestHeaders, realm, future, true);
+                String ntlmAuthenticate = getNTLM(proxyAuthHeaders);
+                if (!proxyAuthHeaders.contains("Kerberos") && ntlmAuthenticate != null) {
+                    newRealm = ntlmProxyChallenge(ntlmAuthenticate, request, proxyServer, requestHeaders, realm, future, true);
                     // SPNEGO KERBEROS
                 } else if (negociate) {
                     newRealm = kerberosChallenge(channel, proxyAuthHeaders, request, proxyServer, requestHeaders, realm, future, true);

providers/netty/src/main/java/org/asynchttpclient/providers/netty/request/NettyRequestFactory.java

@@ -13,7 +13,7 @@
  */
 package org.asynchttpclient.providers.netty.request;
 
-import static org.asynchttpclient.providers.netty.util.HttpUtils.isNTLM;
+import static org.asynchttpclient.providers.netty.util.HttpUtils.getNTLM;
 import static org.asynchttpclient.providers.netty.util.HttpUtils.isSecure;
 import static org.asynchttpclient.providers.netty.util.HttpUtils.isWebSocket;
 import static org.asynchttpclient.providers.netty.util.HttpUtils.useProxyConnect;
@@ -157,13 +157,14 @@ public String firstRequestOnlyProxyAuthorizationHeader(Request request, ProxySer
 
         if (method == HttpMethod.CONNECT) {
             List<String> auth = request.getHeaders().get(HttpHeaders.Names.PROXY_AUTHORIZATION);
-            if (isNTLM(auth)) {
-                proxyAuthorization = auth.get(0);
+            String ntlmHeader = getNTLM(auth);
+            if (ntlmHeader != null) {
+                proxyAuthorization = ntlmHeader;
             }
 
         } else if (proxyServer != null && proxyServer.getPrincipal() != null && isNonEmpty(proxyServer.getNtlmDomain())) {
             List<String> auth = request.getHeaders().get(HttpHeaders.Names.PROXY_AUTHORIZATION);
-            if (!isNTLM(auth)) {
+            if (getNTLM(auth) == null) {
                 String msg = NTLMEngine.INSTANCE.generateType1Msg();
                 proxyAuthorization = "NTLM " + msg;
             }

providers/netty/src/main/java/org/asynchttpclient/providers/netty/util/HttpUtils.java

@@ -12,8 +12,6 @@
  */
 package org.asynchttpclient.providers.netty.util;
 
-import static org.asynchttpclient.util.MiscUtils.isNonEmpty;
-
 import java.util.List;
 
 import org.asynchttpclient.uri.Uri;
@@ -28,8 +26,15 @@ public final class HttpUtils {
     private HttpUtils() {
     }
 
-    public static boolean isNTLM(List<String> auth) {
-        return isNonEmpty(auth) && auth.get(0).startsWith("NTLM");
+    public static String getNTLM(List<String> authenticateHeaders) {
+        if (authenticateHeaders != null) {
+            for (String authenticateHeader: authenticateHeaders) {
+                if (authenticateHeader.startsWith("NTLM"))
+                    return authenticateHeader;
+            }
+        }
+
+        return null;
     }
 
     public static boolean isWebSocket(String scheme) {