Can Java's 'single sign-on' (use credentials from 'Credential Manager') on Windows be disabled?

Question

Oracle's "Http Authentication" page from the Java SE 6 documentation says that "if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache" then the instance passed to Authenticator.setDefault() "will be completely ignored".

This matches what I observed: setting up an HTTP or HTTPS connection on a Windows system to host X always passes the credentials for host X from the 'Windows Credentials' of the 'Windows Vault', as seen in my Windows 7 'Credential Manager' Control Panel page.

However, in my use case I don't want to use any credentials which might be stored by Windows, but instead I always want to use credentials I explicitly specify in the code.

Is there a way to override the documented behavior, i.e., is there a way to ignore the credentials stored by Windows?

Update: If not, could someone point me to a place in the Java SE 6 source code where I can see that the stored Windows credentials cannot be ignored?

Answer 1

At least in Java 7 there is a class called sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback that seems to help with this situation. Single sign-on is only invoked for "trusted" URLs.

Here is the simplest implementation to turn it off (have this initialiser called prior to opening the HTTP connection):

static {
    NTLMAuthenticationCallback.setNTLMAuthenticationCallback(new NTLMAuthenticationCallback()
    {
        @Override
        public boolean isTrustedSite(URL url)
        {
            return false;
        }
    });
}

I guess the default implementation is to trust everything :(