Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-2326

Manage authentication for NTLM proxies

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      We want to access RRS content internally, but we are using a secured proxy (requiring authentication via NTLM or user/password).
      We setted up the standard Java proxies properties: http.proxyHost, http.proxyPort and http.auth.ntlm.domain. But it seams that the http.auth.ntlm.domain properties does not work to authenticate HTTP connections from confluence.
      The proxy server is found, but there is a credential problem during the authentication to the NT Domain.
      It works fine if we define these properties using Eclipse for example, but not with Confluence.
      We used JDK 1.4.2 so it should work... Maybe You don't use a standard HTTP Connection ?

      Do you have an idea to solve this problem ?

        1. HttpClientHttpRetrievalService.class
          8 kB
          Matt Ryall
        2. HttpClientHttpRetrievalService.jad
          8 kB
          Samuel Le Berrigaud

            [CONFSERVER-2326] Manage authentication for NTLM proxies

            Matt Ryall added a comment -

            This functionality will be in Confluence 2.10. The documentation here has been updated:

            http://confluence.atlassian.com/x/TMkB

            Matt Ryall added a comment - This functionality will be in Confluence 2.10. The documentation here has been updated: http://confluence.atlassian.com/x/TMkB

            Jeremy Largman added a comment -

            Adding the Plugin Development component in case this is implemented by offering support for the NTLM plugin.

            Jeremy Largman added a comment - Adding the Plugin Development component in case this is implemented by offering support for the NTLM plugin .

            James Fleming (Inactive) added a comment -

            CSP-18412 is another case where NTLM proxy authentication is required. This time, it's for the plugin repository.

            James Fleming (Inactive) added a comment - CSP-18412 is another case where NTLM proxy authentication is required. This time, it's for the plugin repository.

            Rick Hadsall added a comment -

            Matt,

            I've tried those - it definitely does not authenticate. I opened a new issue for it with a copy of my setenv.sh setup. I'll enable debug logging Monday and attach that as well.

            See: http://jira.atlassian.com/browse/CONF-10986

            I'll stick the logs in there.

            Rick

            Rick Hadsall added a comment - Matt, I've tried those - it definitely does not authenticate. I opened a new issue for it with a copy of my setenv.sh setup. I'll enable debug logging Monday and attach that as well. See: http://jira.atlassian.com/browse/CONF-10986 I'll stick the logs in there. Rick

            Matt Ryall added a comment -

            Rick, proxies which use HTTP basic auth already work with Confluence, at least in recent versions. You need to set the appropriate system properties, which are http.proxyHost, http.proxyUser, http.proxyPassword, and optionally http.proxyPort (default is 80).

            If this still isn't working for you, please enable debug logging for the com.atlassian.confluence.util.http package and raise a new bug with a copy of your logs.

            Matt Ryall added a comment - Rick, proxies which use HTTP basic auth already work with Confluence, at least in recent versions. You need to set the appropriate system properties, which are http.proxyHost , http.proxyUser , http.proxyPassword , and optionally http.proxyPort (default is 80). If this still isn't working for you, please enable debug logging for the com.atlassian.confluence.util.http package and raise a new bug with a copy of your logs.

            Rick Hadsall added a comment -

            Matt,

            I tried your patch, but it did not work for basic authenticating proxies.

            Please see:

            http://hc.apache.org/httpclient-3.x/authentication.html#Proxy_Authentication

            This is vital for us in order to do RSS, Plugin Repository, HTTP Include, etc....

            Any chance at a patch that will read the http.proxyUser and http.proxyPassword properties passed into the JVM and construct the appropriate authentication credentials to the proxy?

            Note: This is not NTLM. It's just a regular ol' proxy that expects username/password - my server is Linux.

            Rick

            Rick Hadsall added a comment - Matt, I tried your patch, but it did not work for basic authenticating proxies. Please see: http://hc.apache.org/httpclient-3.x/authentication.html#Proxy_Authentication This is vital for us in order to do RSS, Plugin Repository, HTTP Include, etc.... Any chance at a patch that will read the http.proxyUser and http.proxyPassword properties passed into the JVM and construct the appropriate authentication credentials to the proxy? Note: This is not NTLM. It's just a regular ol' proxy that expects username/password - my server is Linux. Rick

            dave (Inactive) added a comment -

            Henrik,

            It would be best to forward this query to Dan Hardiker, who is the author of this plugin. His details can be accessed off the home page for this plugin at: http://confluence.atlassian.com/x/6IoC.

            Cheers,
            Dave

            dave (Inactive) added a comment - Henrik, It would be best to forward this query to Dan Hardiker, who is the author of this plugin. His details can be accessed off the home page for this plugin at: http://confluence.atlassian.com/x/6IoC . Cheers, Dave

            hendrik added a comment -

            Regarding the source. Currently our company is in the process of purchasing Confluence so currently we are still running the evaluation version but will have the commercial version within a month. So currently I have no access to src file s

            hendrik added a comment - Regarding the source. Currently our company is in the process of purchasing Confluence so currently we are still running the evaluation version but will have the commercial version within a month. So currently I have no access to src file s

            hendrik added a comment -

            I have installed the patched HttpClientHttpRetrievalService.class and this solves the proxy authorisation at our intranet for the rss plgugin just fine, regarding the fact of cource that you pass http.proxyUser and http.proxyPassword as JAVA_OPTS in setenv.sh

            However the confluence repository plugin does not work with this patched release. Is it not using the same class for client http retrieval?

            So rss plugin works fine repository plugin throws a 407 response and the nonProxyHost warning

            Two questions:

            • which service does the repository client use if it is different than the rss plugin
            • which source I have to use in order to patch it myself because I know our proxy has some stringent rules that might cause the problem

            For sake of completion included is the debug info the repository client throws at me

            2006-11-30 11:18:11,371 DEBUG: URL: http://files.adaptavist.com/repository/repository-full.xml
            2006-11-30 11:18:11,373 WARN : The system property http.nonProxyHost is set. You probably meant to set http.nonProxyHosts. 2006-11-30 11:18:11,374 DEBUG: Setting client proxy host to: (i deleted the name of our proxy )
            2006-11-30 11:18:11,387 DEBUG: HTTP Status: 407
            2006-11-30 11:18:11,388 DEBUG: HTTP Response Header - Proxy-Authenticate: BASIC realm="Internet Access : Please enter your CIL or CSL"
            2006-11-30 11:18:11,389 DEBUG: HTTP Response Header - Cache-Control: no-cache
            2006-11-30 11:18:11,390 DEBUG: HTTP Response Header - Pragma: no-cache
            2006-11-30 11:18:11,391 DEBUG: HTTP Response Header - Content-Type: text/html; charset=utf-8 2006-11-30 11:18:11,392 DEBUG: HTTP Response Header - Proxy-Connection: close
            2006-11-30 11:18:11,394 DEBUG: HTTP Response Header - Set-Cookie: BCSI-CS8ACB9038=2; Path=/
            2006-11-30 11:18:11,395 DEBUG: HTTP Response Header - Connection: close 2006-11-30 11:18:11,396 DEBUG: HTTP Response Header - Content-Length: 810
            2006-11-30 11:18:11,397 ERROR: Error downloading - status code 407 returned while downloading: http://files.adaptavist.com/repository/repository-full.xml

            hendrik added a comment - I have installed the patched HttpClientHttpRetrievalService.class and this solves the proxy authorisation at our intranet for the rss plgugin just fine, regarding the fact of cource that you pass http.proxyUser and http.proxyPassword as JAVA_OPTS in setenv.sh However the confluence repository plugin does not work with this patched release. Is it not using the same class for client http retrieval? So rss plugin works fine repository plugin throws a 407 response and the nonProxyHost warning Two questions: which service does the repository client use if it is different than the rss plugin which source I have to use in order to patch it myself because I know our proxy has some stringent rules that might cause the problem For sake of completion included is the debug info the repository client throws at me 2006-11-30 11:18:11,371 DEBUG: URL: http://files.adaptavist.com/repository/repository-full.xml 2006-11-30 11:18:11,373 WARN : The system property http.nonProxyHost is set. You probably meant to set http.nonProxyHosts. 2006-11-30 11:18:11,374 DEBUG: Setting client proxy host to: (i deleted the name of our proxy ) 2006-11-30 11:18:11,387 DEBUG: HTTP Status: 407 2006-11-30 11:18:11,388 DEBUG: HTTP Response Header - Proxy-Authenticate: BASIC realm="Internet Access : Please enter your CIL or CSL" 2006-11-30 11:18:11,389 DEBUG: HTTP Response Header - Cache-Control: no-cache 2006-11-30 11:18:11,390 DEBUG: HTTP Response Header - Pragma: no-cache 2006-11-30 11:18:11,391 DEBUG: HTTP Response Header - Content-Type: text/html; charset=utf-8 2006-11-30 11:18:11,392 DEBUG: HTTP Response Header - Proxy-Connection: close 2006-11-30 11:18:11,394 DEBUG: HTTP Response Header - Set-Cookie: BCSI-CS8ACB9038=2; Path=/ 2006-11-30 11:18:11,395 DEBUG: HTTP Response Header - Connection: close 2006-11-30 11:18:11,396 DEBUG: HTTP Response Header - Content-Length: 810 2006-11-30 11:18:11,397 ERROR: Error downloading - status code 407 returned while downloading: http://files.adaptavist.com/repository/repository-full.xml

            Deleted Account (Inactive) added a comment -

            I've tested the NTLM APS service in order to get the Confluence Repository Plugin working, and it seems to do quite well. Would be quite nice to do this directly within Confluence though.

            Deleted Account (Inactive) added a comment - I've tested the NTLM APS service in order to get the Confluence Repository Plugin working, and it seems to do quite well. Would be quite nice to do this directly within Confluence though.

              matt@atlassian.com Matt Ryall
              rickye Richard THIBAULT
              Votes:
              19 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: