chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller <florian.muel...@alfresco.com>
Subject Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
Date Fri, 16 Sep 2011 18:59:13 GMT
This is the wrong mailing list for SharePoint configuration questions. ;-)
I think it is possible, but you should talk to a SharePoint expert.

Also, turn cookies on. (The OpenCMIS 0.5.0 release should be available in a few days.)


Florian


On 16/09/2011 19:38, Naresh Bhatia wrote:
> Thanks Florian - this is VERY helpful. Do you know if SharePoint can be
> configured to handle Basic Authentication in addition to NTLM, or does it
> have to be only one of the two.
> 
> Thanks.
> Naresh
> 
> 
> 
> On Fri, Sep 16, 2011 at 12:12 PM, Florian Müller <
> florian.mueller@alfresco.com> wrote:
> 
>> Hi Naresh,
>>
>> There are multiple issues with NTML. Some are related to how NTLM is
>> handled in Java; some are related to the combination of NTLM and chunking.
>>
>> Unfortunately, there is only one static java.net.Authenticator object in
>> Java, that is responsible for the NTML credentials.
>> If there is only one user (-> CMIS Workbench) than this limitation is no
>> problem. If the application should be able to connect with multiple users,
>> that this becomes a major issue.
>> The only information the Authenticator object gets, when it is asked for
>> credentials, is the URL. Since the CMIS URLs are all the same for all users,
>> there is no way to pick the right credentials.
>> That's a road block for your use-case.
>>
>> The second problem is chucking. OpenCMIS is optimized for handling really
>> big documents. It doesn't buffer the documents, it streams them directly to
>> the repository. In order to do that it sends the documents in chunks.
>> NTLM authenticates TCP connections, not requests. If such a request with
>> chucks hits an unauthenticated TCP connection, it fails. The next attempt
>> will probably work because the connection will be authenticated after the
>> failure.
>> There would be ways to avoid this and make sure that all connections are
>> always authenticated with the right user but nobody has written this code
>> for OpenCMIS yet.
>> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue
>> when OpenCMIS talks to SharePoint, but that hasn't been verified.
>>
>> Conclusion: NTML makes more or less sense for web browsers. It is less than
>> optimal for APIs - especially when you are connecting from Java.
>> The only viable solution is to reconfigure the SharePoint server to accept
>> basic authentication.
>>
>>
>> Florian
>>
>>
>>
>> On 16/09/2011 16:15, Naresh Bhatia wrote:
>>> Hi Florian,
>>>
>>> My responses below:
>>>
>>> - Are you setting the NTLMAuthenticationProvider in the session
>> parameters?
>>>
>>> Yes, this is how I am doing it:
>>> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS,
>>>
>>>
>> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider");
>>>
>>> - Follows the user name the pattern "<domain>\<login>"?
>>> Tried it with and without the domain name.
>>>
>>> - Is this the only application in your Tomcat? If not, is there another
>>> application that uses the java.net.Authenticator class?
>>> This is the only app.
>>>
>>> - Does your application create multiple sessions with different users?
>> (That
>>> doesn't work with NTLM.)
>>> That is the ultimate intent, but for the purpose of my test I am the only
>>> user. Could you please expand on why NTLM wouldn't work with multiple
>> users?
>>> Is it not designed for this use case? (I have no expertise in NTLM). Also
>> I
>>> found that IE was able to connect to the SharePoint instance without
>> asking
>>> for username/password, whereas Firefox was not able to do this. My
>>> understanding is that NTLM uses the logged in user's credentials. So does
>> it
>>> even accept username/password?
>>>
>>>
>>> - Does it fail immediately when it tries to retrieve the repository
>> infos?
>>> If not, you are running in another known problem with NTLM. Some
>> operations
>>> have to be repeated once in a while to work correctly.
>>>
>>> Don't understand what you mean by failing immediately. This is what I am
>>> seeing (some items truncated)
>>>
>>> OpenCMIS
>>>
>>> GET
>>>
>> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>> <
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>>>
>>>
>>> IIS/SharePoint
>>>
>>> HTTP/1.1 401 Unauthorized
>>>
>>> Server: Microsoft-IIS/7.5
>>>
>>> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039
>>>
>>> WWW-Authenticate: Negotiate
>>>
>>> WWW-Authenticate: NTLM
>>>
>>>
>>>
>>> OpenCMIS
>>>
>>> GET http://<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>> spserver<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>>> User-Agent: Apache Chemistry OpenCMIS
>>>
>>> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04=
>>>
>>>
>>>
>>> IIS/SharePoint
>>>
>>> HTTP/1.1 401 Unauthorized
>>>
>>> Server: Microsoft-IIS/7.5
>>>
>>> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a
>>>
>>> WWW-Authenticate: NTLM Tl..............AA=
>>>
>>> WWW-Authenticate: Negotiate
>>>
>>>
>>>
>>> This keeps on going 39 times and finally OpenCMIS gives up
>>>
>>> Naresh
>>>
>>> On Fri, Sep 16, 2011 at 10:18 AM, Florian Müller <
>>> florian.mueller@alfresco.com> wrote:
>>>
>>>> Naresh,
>>>>
>>>> A few checkpoints:
>>>>
>>>> - Are you setting the NTLMAuthenticationProvider in the session
>> parameters?
>>>> - Follows the user name the pattern "<domain>\<login>"?
>>>> - Is this the only application in your Tomcat? If not, is there another
>>>> application that uses the java.net.Authenticator class?
>>>> - Does your application create multiple sessions with different users?
>>>> (That doesn't work with NTLM.)
>>>> - Does it fail immediately when it tries to retrieve the repository
>> infos?
>>>> If not, you are running in another known problem with NTLM. Some
>> operations
>>>> have to be repeated once in a while to work correctly.
>>>>
>>>> Again, NTLM is not a viable option for a production system.
>>>>
>>>>
>>>> - Florian
>>>>
>>>>
>>>> On 16/09/2011 02:54, Naresh Bhatia wrote:
>>>>> George,
>>>>>
>>>>> Per your suggestion, I used Fiddler to monitor the traffic between CMIS
>>>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS
>>>> program)
>>>>> is able to authenticate successfully in 2 tries. However I can't figure
>>>> out
>>>>> what credentials are being sent to SP as they are hashed or encrypted,
>>>> e.g.
>>>>>
>>>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04=
>>>>>
>>>>> How did you figure out what this means?
>>>>>
>>>>> Anyway, when I try the same experiment with OpenCMIS running on Tomcat,
>>>>> OpenCMIS tries 39 times to authenticate, but the server keeps on
>>>> returning
>>>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers are
>>>>> encrypted, so I really don's know what OpenCMIS is trying to do.
>>>>>
>>>>> Any further pointers on this issue?
>>>>>
>>>>> Thanks.
>>>>> Naresh
>>>>>
>>>>>
>>>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George <
>>>>> George.Florentine@flatironssolutions.com> wrote:
>>>>>
>>>>>> Naresh, I'd suggest using Wireshark or some other network protocol
>>>> analyzer
>>>>>> to look at the packets going between your application and the
>> SharePoint
>>>>>> CMIS producer endpoint. I found that very useful when trying to debug
>>>>>> authorization issues between the OpenCMIS client and the SP server.
>> For
>>>>>> example, I discovered that when you specify NTLM as the authentication
>>>>>> mechanism, the OpenCMIS client tries to first send the credentials
of
>>>> the
>>>>>> process persona your web is running in on your app server before
it
>>>> sends
>>>>>> the credentials you specify in your code. I would never have figured
>>>> that
>>>>>> out without looking at network packets...You might also want to post
>> to
>>>> the
>>>>>> group what calls you're making to the OpenCMIS classes to set
>>>> authorization
>>>>>> type and creds. That info will be useful in determining why your
app
>> is
>>>>>> behaving differently from the CMIS Workbench client.
>>>>>>
>>>>>> thx,
>>>>>>
>>>>>> g
>>>>>> ---
>>>>>>
>>>>>>
>>>>>> George Florentine
>>>>>>
>>>>>> VP, Engineering
>>>>>>
>>>>>> +1 (303) 542-2173  |  Office
>>>>>> +1 (303) 669-8628  |  Cell
>>>>>> +1 (303) 544-0522  |  Fax
>>>>>>
>>>>>> george.florentine@flatironssolutions.com
>>>>>>
>>>>>> http://www.flatironssolutions.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>> Sent: Wednesday, September 07, 2011 6:50 PM
>>>>>> To: dev@chemistry.apache.org
>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
>>>>>>
>>>>>> Jérôme,
>>>>>>
>>>>>> I made quite a bit of progress based on your suggestions. I have
>> figured
>>>>>> out
>>>>>> what my Library Id is. I can access the library using the CMIS
>> Workbench
>>>>>> and
>>>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot
get
>> it
>>>> to
>>>>>> work through my web application - it is giving me
>>>>>> a CmisUnauthorizedException:
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException:
>>>>>> Unauthorized
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69)
>>>>>>
>>>>>> The parameters I am passing to SessionFactory.createSession() are
>>>> exactly
>>>>>> the same as what I pass to my standalone app, so I can't understand
>> why
>>>> I
>>>>>> get the CmisUnauthorizedException.
>>>>>>
>>>>>> Another interesting thing is that my standalone program (and CMIS
>>>>>> Workbench)
>>>>>> can access SharePoint even if I don't pass a username and password.
>>>> That's
>>>>>> really puzzling.
>>>>>>
>>>>>> Anything you can make out of this?
>>>>>>
>>>>>> Thanks.
>>>>>> Naresh
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Sep 2, 2011 at 3:44 PM, Jérome Simard <jsimard@xybion.com>
>>>> wrote:
>>>>>>
>>>>>>> Naresh,
>>>>>>>
>>>>>>> Sorry I meant Library id.
>>>>>>>
>>>>>>> Your best bet would be to use the CMIS Workbench to connect to
>>>> SharePoint
>>>>>>> using the webservice binding, once connected you will see the
Library
>>>> ID
>>>>>> of
>>>>>>> all the available SharePoint libraries. It should have this form
>>>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f.
>>>>>>>
>>>>>>> Good luck,
>>>>>>> Jérôme
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>>> Sent: 2 septembre 2011 15:36
>>>>>>> To: dev@chemistry.apache.org
>>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using
OpenCMIS
>>>>>>>
>>>>>>> Thanks so much Jérôme. I will give it a shot.
>>>>>>>
>>>>>>> What is a Site ID btw?
>>>>>>>
>>>>>>> Naresh
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Sep 2, 2011 at 3:23 PM, Jérome Simard <jsimard@xybion.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Naresh,
>>>>>>>>
>>>>>>>> You must use the same URL for each services, i.e
>>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx
>>>>>>>>
>>>>>>>> To use the AtomPub binding, your URL should include the Site
ID,
>> like
>>>>>>> this:
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Jérôme
>>>>>>>>
>>>>>>>>
>>>>>>>> Jérôme Simard
>>>>>>>> Principal Software Architect  |  T 418-525-0606 #2264  |
 F
>>>>>> 418-525-0909
>>>>>>>> 400, boul. Jean-Lesage, Suite 38  |  Québec, QC, Canada,
G1K 8W1  |
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>>>> Sent: 2 septembre 2011 15:09
>>>>>>>> To: dev
>>>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using
OpenCMIS
>>>>>>>>
>>>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS.
I was
>> given
>>>> a
>>>>>>> URL
>>>>>>>> for the WSDL by my sysadmin (something like
>>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately,
it
>> looks
>>>>>>> like
>>>>>>>> the URL have a combined WSDL for all CMIS services. Looking
at this
>>>>>>>> OpenCMIS
>>>>>>>> example<
>>>>>>>>
>> http://chemistry.apache.org/java/examples/example-create-session.html
>>>>>>> ,
>>>>>>>> it appears that I need one URL per service.
>>>>>>>>
>>>>>>>>
>>>>>>>>    1. How do I go about connecting to Sharepoint using this
combined
>>>>>>> WSDL?
>>>>>>>>    Does Sharepoint also publish separate WSDLs as shown in
the
>>>> example.
>>>>>>>>    2. Does sharepoint support AtomPub?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> Naresh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> 


Mime
View raw message