chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Naresh Bhatia <bhat...@comcast.net>
Subject Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
Date Fri, 16 Sep 2011 20:12:22 GMT
Sorry Florian. Just collecting some ammunition before I talk to the
SharePoint expert :-).

Naresh


On Fri, Sep 16, 2011 at 2:59 PM, Florian Müller <
florian.mueller@alfresco.com> wrote:

> This is the wrong mailing list for SharePoint configuration questions. ;-)
> I think it is possible, but you should talk to a SharePoint expert.
>
> Also, turn cookies on. (The OpenCMIS 0.5.0 release should be available in a
> few days.)
>
>
> Florian
>
>
> On 16/09/2011 19:38, Naresh Bhatia wrote:
> > Thanks Florian - this is VERY helpful. Do you know if SharePoint can be
> > configured to handle Basic Authentication in addition to NTLM, or does it
> > have to be only one of the two.
> >
> > Thanks.
> > Naresh
> >
> >
> >
> > On Fri, Sep 16, 2011 at 12:12 PM, Florian Müller <
> > florian.mueller@alfresco.com> wrote:
> >
> >> Hi Naresh,
> >>
> >> There are multiple issues with NTML. Some are related to how NTLM is
> >> handled in Java; some are related to the combination of NTLM and
> chunking.
> >>
> >> Unfortunately, there is only one static java.net.Authenticator object in
> >> Java, that is responsible for the NTML credentials.
> >> If there is only one user (-> CMIS Workbench) than this limitation is no
> >> problem. If the application should be able to connect with multiple
> users,
> >> that this becomes a major issue.
> >> The only information the Authenticator object gets, when it is asked for
> >> credentials, is the URL. Since the CMIS URLs are all the same for all
> users,
> >> there is no way to pick the right credentials.
> >> That's a road block for your use-case.
> >>
> >> The second problem is chucking. OpenCMIS is optimized for handling
> really
> >> big documents. It doesn't buffer the documents, it streams them directly
> to
> >> the repository. In order to do that it sends the documents in chunks.
> >> NTLM authenticates TCP connections, not requests. If such a request with
> >> chucks hits an unauthenticated TCP connection, it fails. The next
> attempt
> >> will probably work because the connection will be authenticated after
> the
> >> failure.
> >> There would be ways to avoid this and make sure that all connections are
> >> always authenticated with the right user but nobody has written this
> code
> >> for OpenCMIS yet.
> >> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue
> >> when OpenCMIS talks to SharePoint, but that hasn't been verified.
> >>
> >> Conclusion: NTML makes more or less sense for web browsers. It is less
> than
> >> optimal for APIs - especially when you are connecting from Java.
> >> The only viable solution is to reconfigure the SharePoint server to
> accept
> >> basic authentication.
> >>
> >>
> >> Florian
> >>
> >>
> >>
> >> On 16/09/2011 16:15, Naresh Bhatia wrote:
> >>> Hi Florian,
> >>>
> >>> My responses below:
> >>>
> >>> - Are you setting the NTLMAuthenticationProvider in the session
> >> parameters?
> >>>
> >>> Yes, this is how I am doing it:
> >>> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS,
> >>>
> >>>
> >>
> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider");
> >>>
> >>> - Follows the user name the pattern "<domain>\<login>"?
> >>> Tried it with and without the domain name.
> >>>
> >>> - Is this the only application in your Tomcat? If not, is there another
> >>> application that uses the java.net.Authenticator class?
> >>> This is the only app.
> >>>
> >>> - Does your application create multiple sessions with different users?
> >> (That
> >>> doesn't work with NTLM.)
> >>> That is the ultimate intent, but for the purpose of my test I am the
> only
> >>> user. Could you please expand on why NTLM wouldn't work with multiple
> >> users?
> >>> Is it not designed for this use case? (I have no expertise in NTLM).
> Also
> >> I
> >>> found that IE was able to connect to the SharePoint instance without
> >> asking
> >>> for username/password, whereas Firefox was not able to do this. My
> >>> understanding is that NTLM uses the logged in user's credentials. So
> does
> >> it
> >>> even accept username/password?
> >>>
> >>>
> >>> - Does it fail immediately when it tries to retrieve the repository
> >> infos?
> >>> If not, you are running in another known problem with NTLM. Some
> >> operations
> >>> have to be repeated once in a while to work correctly.
> >>>
> >>> Don't understand what you mean by failing immediately. This is what I
> am
> >>> seeing (some items truncated)
> >>>
> >>> OpenCMIS
> >>>
> >>> GET
> >>>
> >>
> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >> <
> >>
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >>>
> >>>
> >>>
> >>>
> >>> IIS/SharePoint
> >>>
> >>> HTTP/1.1 401 Unauthorized
> >>>
> >>> Server: Microsoft-IIS/7.5
> >>>
> >>> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039
> >>>
> >>> WWW-Authenticate: Negotiate
> >>>
> >>> WWW-Authenticate: NTLM
> >>>
> >>>
> >>>
> >>> OpenCMIS
> >>>
> >>> GET http://<
> >>
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >>>
> >>> spserver<
> >>
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >>>
> >>>
> >>
> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<
> >>
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >>>
> >>>
> >>> User-Agent: Apache Chemistry OpenCMIS
> >>>
> >>> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04=
> >>>
> >>>
> >>>
> >>> IIS/SharePoint
> >>>
> >>> HTTP/1.1 401 Unauthorized
> >>>
> >>> Server: Microsoft-IIS/7.5
> >>>
> >>> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a
> >>>
> >>> WWW-Authenticate: NTLM Tl..............AA=
> >>>
> >>> WWW-Authenticate: Negotiate
> >>>
> >>>
> >>>
> >>> This keeps on going 39 times and finally OpenCMIS gives up
> >>>
> >>> Naresh
> >>>
> >>> On Fri, Sep 16, 2011 at 10:18 AM, Florian Müller <
> >>> florian.mueller@alfresco.com> wrote:
> >>>
> >>>> Naresh,
> >>>>
> >>>> A few checkpoints:
> >>>>
> >>>> - Are you setting the NTLMAuthenticationProvider in the session
> >> parameters?
> >>>> - Follows the user name the pattern "<domain>\<login>"?
> >>>> - Is this the only application in your Tomcat? If not, is there
> another
> >>>> application that uses the java.net.Authenticator class?
> >>>> - Does your application create multiple sessions with different users?
> >>>> (That doesn't work with NTLM.)
> >>>> - Does it fail immediately when it tries to retrieve the repository
> >> infos?
> >>>> If not, you are running in another known problem with NTLM. Some
> >> operations
> >>>> have to be repeated once in a while to work correctly.
> >>>>
> >>>> Again, NTLM is not a viable option for a production system.
> >>>>
> >>>>
> >>>> - Florian
> >>>>
> >>>>
> >>>> On 16/09/2011 02:54, Naresh Bhatia wrote:
> >>>>> George,
> >>>>>
> >>>>> Per your suggestion, I used Fiddler to monitor the traffic between
> CMIS
> >>>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS
> >>>> program)
> >>>>> is able to authenticate successfully in 2 tries. However I can't
> figure
> >>>> out
> >>>>> what credentials are being sent to SP as they are hashed or
> encrypted,
> >>>> e.g.
> >>>>>
> >>>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04=
> >>>>>
> >>>>> How did you figure out what this means?
> >>>>>
> >>>>> Anyway, when I try the same experiment with OpenCMIS running on
> Tomcat,
> >>>>> OpenCMIS tries 39 times to authenticate, but the server keeps on
> >>>> returning
> >>>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers
> are
> >>>>> encrypted, so I really don's know what OpenCMIS is trying to do.
> >>>>>
> >>>>> Any further pointers on this issue?
> >>>>>
> >>>>> Thanks.
> >>>>> Naresh
> >>>>>
> >>>>>
> >>>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George <
> >>>>> George.Florentine@flatironssolutions.com> wrote:
> >>>>>
> >>>>>> Naresh, I'd suggest using Wireshark or some other network protocol
> >>>> analyzer
> >>>>>> to look at the packets going between your application and the
> >> SharePoint
> >>>>>> CMIS producer endpoint. I found that very useful when trying
to
> debug
> >>>>>> authorization issues between the OpenCMIS client and the SP
server.
> >> For
> >>>>>> example, I discovered that when you specify NTLM as the
> authentication
> >>>>>> mechanism, the OpenCMIS client tries to first send the credentials
> of
> >>>> the
> >>>>>> process persona your web is running in on your app server before
it
> >>>> sends
> >>>>>> the credentials you specify in your code. I would never have
figured
> >>>> that
> >>>>>> out without looking at network packets...You might also want
to post
> >> to
> >>>> the
> >>>>>> group what calls you're making to the OpenCMIS classes to set
> >>>> authorization
> >>>>>> type and creds. That info will be useful in determining why
your app
> >> is
> >>>>>> behaving differently from the CMIS Workbench client.
> >>>>>>
> >>>>>> thx,
> >>>>>>
> >>>>>> g
> >>>>>> ---
> >>>>>>
> >>>>>>
> >>>>>> George Florentine
> >>>>>>
> >>>>>> VP, Engineering
> >>>>>>
> >>>>>> +1 (303) 542-2173  |  Office
> >>>>>> +1 (303) 669-8628  |  Cell
> >>>>>> +1 (303) 544-0522  |  Fax
> >>>>>>
> >>>>>> george.florentine@flatironssolutions.com
> >>>>>>
> >>>>>> http://www.flatironssolutions.com
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>>>> Sent: Wednesday, September 07, 2011 6:50 PM
> >>>>>> To: dev@chemistry.apache.org
> >>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using
> OpenCMIS
> >>>>>>
> >>>>>> Jérôme,
> >>>>>>
> >>>>>> I made quite a bit of progress based on your suggestions. I
have
> >> figured
> >>>>>> out
> >>>>>> what my Library Id is. I can access the library using the CMIS
> >> Workbench
> >>>>>> and
> >>>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot
get
> >> it
> >>>> to
> >>>>>> work through my web application - it is giving me
> >>>>>> a CmisUnauthorizedException:
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException:
> >>>>>> Unauthorized
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64)
> >>>>>> at
> >>>>>>
> >>>>>>
> >>>>
> >>
> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69)
> >>>>>>
> >>>>>> The parameters I am passing to SessionFactory.createSession()
are
> >>>> exactly
> >>>>>> the same as what I pass to my standalone app, so I can't understand
> >> why
> >>>> I
> >>>>>> get the CmisUnauthorizedException.
> >>>>>>
> >>>>>> Another interesting thing is that my standalone program (and
CMIS
> >>>>>> Workbench)
> >>>>>> can access SharePoint even if I don't pass a username and password.
> >>>> That's
> >>>>>> really puzzling.
> >>>>>>
> >>>>>> Anything you can make out of this?
> >>>>>>
> >>>>>> Thanks.
> >>>>>> Naresh
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Sep 2, 2011 at 3:44 PM, Jérome Simard <jsimard@xybion.com>
> >>>> wrote:
> >>>>>>
> >>>>>>> Naresh,
> >>>>>>>
> >>>>>>> Sorry I meant Library id.
> >>>>>>>
> >>>>>>> Your best bet would be to use the CMIS Workbench to connect
to
> >>>> SharePoint
> >>>>>>> using the webservice binding, once connected you will see
the
> Library
> >>>> ID
> >>>>>> of
> >>>>>>> all the available SharePoint libraries. It should have this
form
> >>>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f.
> >>>>>>>
> >>>>>>> Good luck,
> >>>>>>> Jérôme
> >>>>>>>
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>>>>> Sent: 2 septembre 2011 15:36
> >>>>>>> To: dev@chemistry.apache.org
> >>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using
> OpenCMIS
> >>>>>>>
> >>>>>>> Thanks so much Jérôme. I will give it a shot.
> >>>>>>>
> >>>>>>> What is a Site ID btw?
> >>>>>>>
> >>>>>>> Naresh
> >>>>>>>
> >>>>>>>
> >>>>>>> On Fri, Sep 2, 2011 at 3:23 PM, Jérome Simard <jsimard@xybion.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi Naresh,
> >>>>>>>>
> >>>>>>>> You must use the same URL for each services, i.e
> >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx
> >>>>>>>>
> >>>>>>>> To use the AtomPub binding, your URL should include
the Site ID,
> >> like
> >>>>>>> this:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo
> >>>>>>>>
> >>>>>>>> Cheers,
> >>>>>>>> Jérôme
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Jérôme Simard
> >>>>>>>> Principal Software Architect  |  T 418-525-0606 #2264
 |  F
> >>>>>> 418-525-0909
> >>>>>>>> 400, boul. Jean-Lesage, Suite 38  |  Québec, QC, Canada,
G1K 8W1
>  |
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>>>>>> Sent: 2 septembre 2011 15:09
> >>>>>>>> To: dev
> >>>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using
OpenCMIS
> >>>>>>>>
> >>>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS.
I was
> >> given
> >>>> a
> >>>>>>> URL
> >>>>>>>> for the WSDL by my sysadmin (something like
> >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately,
it
> >> looks
> >>>>>>> like
> >>>>>>>> the URL have a combined WSDL for all CMIS services.
Looking at
> this
> >>>>>>>> OpenCMIS
> >>>>>>>> example<
> >>>>>>>>
> >> http://chemistry.apache.org/java/examples/example-create-session.html
> >>>>>>> ,
> >>>>>>>> it appears that I need one URL per service.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>    1. How do I go about connecting to Sharepoint using
this
> combined
> >>>>>>> WSDL?
> >>>>>>>>    Does Sharepoint also publish separate WSDLs as shown
in the
> >>>> example.
> >>>>>>>>    2. Does sharepoint support AtomPub?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks.
> >>>>>>>> Naresh
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message