[Melbourne-pm] SSO authentication

Mithun Radhakrishnan mithunr2003 at gmail.com
Mon May 26 08:26:38 PDT 2014 

After doing some more debugging I ended up installing following modules and
below code is still not able to authenticate the SSO server. Seems there is
a problem with GSSAPI library.


http://search.mcpan.org/dist/libwww-perl/lib/LWP/Authen/Ntlm.pm
https://metacpan.org/pod/LWP::Authen::Negotiate
https://metacpan.org/pod/GSSAPI

--------------------------------CODE--------------------------------------------------------------------------------------------------
#!/usr/bin/env perl
use LWP::UserAgent;
use HTTP::Cookies;
use Data::Dumper;
use LWP::Debug qw(+);

my $ua = LWP::UserAgent->new( keep_alive => 1 );
my $cookies = {};
$ua->cookie_jar($cookies);
print "->Setting Credentials\n";
$ua->credentials( 'some-server.com', '', 'user', 'password' );
my $uri = 'http://some-server.com/a/b/c';
my $r1  = $ua->get($uri);
print $r1->headers()->as_string;

-------------------------------OUTPUT-------------------------------------------------------------------------------------

->Setting Credentials
LWP::Authen::Negotiate::authenticate: authenticate() version 0.08 called
LWP::Authen::Negotiate::authenticate: target hostname sso-server.com
LWP::Authen::Negotiate::authenticate: GSSAPI servicename HTTP at sso-server.com
LWP::Authen::Negotiate::authenticate: Unspecified GSS failure.  Minor code
may provide more information
LWP::Authen::Negotiate::authenticate: Credentials cache file
'/tmp/krb5cc_500' not found
Date: Mon, 26 May 2014 14:50:59 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 1293
Content-Type: text/html
Client-Date: Mon, 26 May 2014 14:50:56 GMT
Client-Peer: 173.38.52.70:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=some Systems/CN=some SSCA2
Client-SSL-Cert-Subject: /C=US/ST=California/L=San Jose/O=some Technology,
Inc./CN=sso-server.com
Client-SSL-Cipher: RC4-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
Title: 401 - Unauthorized: Access is denied due to invalid credentials.
-------------------------------------------------------------------------------------------------

Regards
Mithun







On Fri, May 23, 2014 at 7:35 PM, Mithun Radhakrishnan <mithunr2003 at gmail.com
> wrote:

>
> Though the usage of "
> ​​
> LWP::Authen::Ntlm" says that "LWP::UserAgent" will be able to identify the
> authentication scheme;
> in my case it is not able to.
> Still getting the same error even after installing the latest version of
> the module(LWP::Authen::Ntlm) from CPAN.
> Also I changed my code to set the credentials through $ua->credentials()
> instead of HTTP::Request object's authorization_basic method as suggested
> in the document.
> http://search.cpan.org/dist/libwww-perl/lib/LWP/Authen/Ntlm.pm#USAGE
>
> I am currently trying to understand the "LWP::UserAgent" code to see where
> it identifies the authentication scheme.
>
> Regards
> Mithun
>
>
>
>
>
>
>
>
>
> On Fri, May 23, 2014 at 4:29 PM, Toby Wintermute <tjc at wintrmute.net>wrote:
>
>> The hint is present in the output - where it says unsupported auth type,
>> NTLM.
>> That's not "basic" auth, that's a proprietary Microsoft method.
>> Searching metacpan for ntlm brings up at least three modules that look
>> like they handle it. Look into those further?
>> On 23/05/2014 8:09 pm, "Mithun Radhakrishnan" <mithunr2003 at gmail.com>
>> wrote:
>>
>>> Thanks Jarrod and Toby for your comments.
>>>
>>> I installed Mozilla::CA module from cpan and that error went away. But
>>> then I get below authentication error when I ran the same script with same
>>> credentials.
>>>
>>> HTTP/1.1 401 Unauthorized
>>> Date: Fri, 23 May 2014 09:03:40 GMT
>>> Server: Microsoft-IIS/7.5
>>> WWW-Authenticate: Negotiate
>>> WWW-Authenticate: NTLM
>>> Content-Length: 1293
>>> Content-Type: text/html
>>> Client-Date: Fri, 23 May 2014 09:03:40 GMT
>>> Client-Peer: 173.38.9.38:443
>>> Client-Response-Num: 1
>>> Client-SSL-Cert-Issuer: /O=Company Systems/CN=Company SSCA2
>>> Client-SSL-Cert-Subject: /C=US/ST=California/L=San Jose/O=Company
>>> Technology, Inc./CN=server.domain.com
>>> Client-SSL-Cipher: RC4-SHA
>>> Client-SSL-Socket-Class: IO::Socket::SSL
>>> Client-Warning: Unsupported authentication scheme 'ntlm'
>>> Title: 401 - Unauthorized: Access is denied due to invalid credentials.
>>>
>>> URL that I am using is not available in internet. It is an intranet
>>> one.  When I use the same URL from browser, it redirects to a SSL server
>>> and then prompts for password and once authenticated it redirects to the
>>> URL which I requested actually and gives me the proper XML response.
>>>
>>> I don't know how to automate these kind of  authentication mechanism.
>>> Can you suggest some other way of authentication in LWP
>>>
>>> Regards
>>> Mithun
>>>
>>>
>>> On Fri, May 23, 2014 at 2:16 PM, Toby Wintermute <tjc at wintrmute.net>wrote:
>>>
>>>> You've blanked out the actual URL you're trying to GET, so we can't
>>>> check.. but are you sure that it's not redirecting to an HTTPS URL,
>>>> and thus triggering the SSL-related comments from LWP?
>>>>
>>>> I don't suppose you've tried following the hints given to you by LWP,
>>>> that you quoted in your post?
>>>> ie. Either installing the Mozilla CA package, or pointing to an
>>>> existing CA package, or disabling CA verification altogether.
>>>>
>>>> On 23 May 2014 00:09, Mithun Radhakrishnan <mithunr2003 at gmail.com>
>>>> wrote:
>>>> >
>>>> > I need to do a SSO authentication and do a HTTP GET request for a web
>>>> > service.
>>>> >
>>>> > I get the below response content on doing a basic authentication
>>>> using LWP.
>>>> > I am trying to automate the testing of some of the web services. But
>>>> the
>>>> > basic authentication using Mozilla(browser) REST client works
>>>> properly and
>>>> > it is giving the expected response.
>>>> >
>>>> > Do we need to do a different authentication mechanism in LWP for SSO?
>>>> >
>>>> >
>>>> > "Can't verify SSL peers without knowning which Certificate
>>>> Authorities to
>>>> > trust
>>>> >
>>>> > This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
>>>> > envirionment variable or by installing the Mozilla::CA module.
>>>> >
>>>> > To disable verification of SSL peers set the
>>>> PERL_LWP_SSL_VERIFY_HOSTNAME
>>>> > envirionment variable to 0.  If you do this you can't be sure that you
>>>> > communicate with the expected peer.
>>>> > "
>>>> >
>>>> >
>>>> >
>>>> -------------------------------------------------------------------------------------------
>>>> > my $method = 'GET';
>>>> > my $uri    = 'http://xxxx';
>>>> > my $username = 'xxx';
>>>> > my $password = 'xxxx';
>>>> >
>>>> > my $cookie_location = "/tmp/cookie";    # This must be read/write
>>>> > my $ua = LWP::UserAgent->new(keep_alive => 1);
>>>> > $ua->default_header( 'Accept' => '*/*' );
>>>> > $ua->cookie_jar(
>>>> >     {
>>>> >         file           => $cookie_location,
>>>> >         autosave       => 1,
>>>> >         ignore_discard => 1
>>>> >     }
>>>> > );
>>>> >
>>>> > my $request = HTTP::Request->new( $method, $uri );
>>>> > $request->authorization_basic( $username, $password );
>>>> > my $response = $ua->request($request);
>>>> >
>>>> >
>>>> ---------------------------------------------------------------------------------
>>>> >
>>>> >
>>>> > Regards
>>>> > Mithun
>>>> >
>>>> > _______________________________________________
>>>> > Melbourne-pm mailing list
>>>> > Melbourne-pm at pm.org
>>>> > http://mail.pm.org/mailman/listinfo/melbourne-pm
>>>>
>>>>
>>>>
>>>> --
>>>> Turning and turning in the widening gyre
>>>> The falcon cannot hear the falconer
>>>> Things fall apart; the center cannot hold
>>>> Mere anarchy is loosed upon the world
>>>> _______________________________________________
>>>> Melbourne-pm mailing list
>>>> Melbourne-pm at pm.org
>>>> http://mail.pm.org/mailman/listinfo/melbourne-pm
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/melbourne-pm/attachments/20140526/ce3e6322/attachment.html>

More information about the Melbourne-pm mailing list