Menu
deprecation notice. My workplace still uses the NTLM authentication scheme. We have over 600k employees so it's not a small company. If I encounter the 401 status code, "NTLM" is the only scheme that is accepted. How can I utilize the newer versions of Apache HttpClient and still handle the NTLM challenge-response? Is it possible to use an existing Java library and work directly with the headers?
I've searched stack overflow for NTLM and HttpClient deprecation but can't find anything helpful.
446
asked Jun 03 '26 11:06
How can I utilize the newer versions of Apache HttpClient and still handle the NTLM challenge-response?
According to the latest published javadocs for Apache HttpClient 5.4 alpha, NTLM support has not been removed yet. However, that won't be a long term solution.
The real problem here is that Microsoft is planning to kill off NTLM ... because it is no longer considered to be secure:
So, sooner or later your company is going to have to switch from NTLM to something better.
I guess you could investigate other Java HTTP client libraries to see if they intend to keep NTLM support going longer. But it strikes me as a waste of effort to convert all of your code ... as a solution to the NTLM problem. Likewise, creating and maintaining your own fork of the Apache HTTPClient library (where NTLM support continues) would be an effort sink ... assuming that you / your team had the skills to do it.
Is it possible to use an existing Java library and work directly with the headers?
I can't see how you would do that. And assuming it is actually feasible, it would be a bad idea to roll your own NTLM implementation even if you are security expert.
In short, I don't think there are any easy solutions.
70
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
