I'm trying to implement an HTTP proxy in Java that adds Windows Integrated Authentication to all requests.
What I have in mind is basically to negotiate the correct authentication scheme between the proxy (in the domain) and the server which, as I understand it, should result in some kind of token that can simply be added to the requests in the Authorization header.
The background here is that we're trying to use a Selenium Grid with agents outside of the domain. So negotiating the authentication directly in the browser doesn't work.
We already have a BrowserMobProxy in place to handle Basic Authentication, however we also need WIA.
Does anyone have an idea how I can generate that required token? Or maybe I've got it wrong and this approach doesn't work at all for some reason?
Any help would be appreciated!
I'd ignore NTLM if possible; everyone is trying to get rid of it, not to have more of it.
Java seems to have built-in Kerberos support as part of JAAS, which can either use its internal implementation (which needs credentials to be provided e.g. as a keytab) or integrate with Windows native SSPI (which can automatically use the service's AD credentials). In theory, as long as SSPI is used, it could do Kerberos and NTLM. There is another implementation, Apache Kerby, but it seems to be much more barebones.
Note that HTTP Negotiate uses SPNEGO – that's two layers of wrapping around an actual raw Kerberos token (AP-REQ), just to avoid confusion when reading docs and trying to send the wrong kind of "Kerberos token". The standard interface around Kerberos is GSS API (which produces its own tokens that basically just carry a Kerberos token inside), and Java can do that natively – but many Windows protocols use SPNEGO which is another intermediate layer (that's the one that multiplexes Kerberos and NTLM), and most web servers will specifically want GSS<SPNEGO<Kerberos>> tokens instead of plain GSS<Kerberos> tokens.
I haven't dealt with Java to this extent, but kerb4j looks like what you need to handle everything on your behalf (acquiring Kerberos tickets via Apache Kerby, generating GSS-SPNEGO tokens, etc).