chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florentine, George" <George.Florent...@flatironssolutions.com>
Subject RE: Pointers on connecting to Sharepoint 2010 using OpenCMIS
Date Fri, 16 Sep 2011 20:54:06 GMT
Naresh, a bit more ammunition for you :) We're using OpenCMIS to talk to SharePoint using Basic
Authentication. You turn Basic authentication on in the IIS manager for the SP site. Once
that's on, you can use this type of code to tell OpenCMIS to use Basic Authentication and
cookies:

                // enable cookies
                CookieManager cm = new CookieManager();
                CookieHandler.setDefault(cm);

                SessionFactory sessionFactory = SessionFactoryImpl.newInstance();
                parameters.put(SessionParameter.USER, user);
                parameters.put(SessionParameter.PASSWORD, pass);
                parameters.put(SessionParameter.ATOMPUB_URL, repoURI);
                parameters.put(SessionParameter.AUTH_HTTP_BASIC, "true");
                parameters.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS, CmisBindingFactory.STANDARD_AUTHENTICATION_PROVIDER);

I'd re-emphasize what Florian's already mentioned - if the SP site is part of a domain, you'll
want to pass user creds in the form domain\user_name. Also, I think the cookie support in
0.5.0 would be useful to you. In our testing, once SP authenticates you using Basic Authentication
it sends back a cookie for use in subsequent messages. Having that in your subsequent response
should speed up the overall messaging between your code and the SP server.

thx,

g
---


George Florentine

VP, Engineering

+1 (303) 542-2173  |  Office
+1 (303) 669-8628  |  Cell
+1 (303) 544-0522  |  Fax

george.florentine@flatironssolutions.com

http://www.flatironssolutions.com









-----Original Message-----
From: Florian Müller [mailto:florian.mueller@alfresco.com]
Sent: Friday, September 16, 2011 12:59 PM
To: dev@chemistry.apache.org
Cc: Naresh Bhatia
Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS

This is the wrong mailing list for SharePoint configuration questions. ;-)
I think it is possible, but you should talk to a SharePoint expert.

Also, turn cookies on. (The OpenCMIS 0.5.0 release should be available in a few days.)


Florian


On 16/09/2011 19:38, Naresh Bhatia wrote:
> Thanks Florian - this is VERY helpful. Do you know if SharePoint can be
> configured to handle Basic Authentication in addition to NTLM, or does it
> have to be only one of the two.
>
> Thanks.
> Naresh
>
>
>
> On Fri, Sep 16, 2011 at 12:12 PM, Florian Müller <
> florian.mueller@alfresco.com> wrote:
>
>> Hi Naresh,
>>
>> There are multiple issues with NTML. Some are related to how NTLM is
>> handled in Java; some are related to the combination of NTLM and chunking.
>>
>> Unfortunately, there is only one static java.net.Authenticator object in
>> Java, that is responsible for the NTML credentials.
>> If there is only one user (-> CMIS Workbench) than this limitation is no
>> problem. If the application should be able to connect with multiple users,
>> that this becomes a major issue.
>> The only information the Authenticator object gets, when it is asked for
>> credentials, is the URL. Since the CMIS URLs are all the same for all users,
>> there is no way to pick the right credentials.
>> That's a road block for your use-case.
>>
>> The second problem is chucking. OpenCMIS is optimized for handling really
>> big documents. It doesn't buffer the documents, it streams them directly to
>> the repository. In order to do that it sends the documents in chunks.
>> NTLM authenticates TCP connections, not requests. If such a request with
>> chucks hits an unauthenticated TCP connection, it fails. The next attempt
>> will probably work because the connection will be authenticated after the
>> failure.
>> There would be ways to avoid this and make sure that all connections are
>> always authenticated with the right user but nobody has written this code
>> for OpenCMIS yet.
>> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue
>> when OpenCMIS talks to SharePoint, but that hasn't been verified.
>>
>> Conclusion: NTML makes more or less sense for web browsers. It is less than
>> optimal for APIs - especially when you are connecting from Java.
>> The only viable solution is to reconfigure the SharePoint server to accept
>> basic authentication.
>>
>>
>> Florian
>>
>>
>>
>> On 16/09/2011 16:15, Naresh Bhatia wrote:
>>> Hi Florian,
>>>
>>> My responses below:
>>>
>>> - Are you setting the NTLMAuthenticationProvider in the session
>> parameters?
>>>
>>> Yes, this is how I am doing it:
>>> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS,
>>>
>>>
>> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider");
>>>
>>> - Follows the user name the pattern "<domain>\<login>"?
>>> Tried it with and without the domain name.
>>>
>>> - Is this the only application in your Tomcat? If not, is there another
>>> application that uses the java.net.Authenticator class?
>>> This is the only app.
>>>
>>> - Does your application create multiple sessions with different users?
>> (That
>>> doesn't work with NTLM.)
>>> That is the ultimate intent, but for the purpose of my test I am the only
>>> user. Could you please expand on why NTLM wouldn't work with multiple
>> users?
>>> Is it not designed for this use case? (I have no expertise in NTLM). Also
>> I
>>> found that IE was able to connect to the SharePoint instance without
>> asking
>>> for username/password, whereas Firefox was not able to do this. My
>>> understanding is that NTLM uses the logged in user's credentials. So does
>> it
>>> even accept username/password?
>>>
>>>
>>> - Does it fail immediately when it tries to retrieve the repository
>> infos?
>>> If not, you are running in another known problem with NTLM. Some
>> operations
>>> have to be repeated once in a while to work correctly.
>>>
>>> Don't understand what you mean by failing immediately. This is what I am
>>> seeing (some items truncated)
>>>
>>> OpenCMIS
>>>
>>> GET
>>>
>> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>> <
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>>>
>>>
>>> IIS/SharePoint
>>>
>>> HTTP/1.1 401 Unauthorized
>>>
>>> Server: Microsoft-IIS/7.5
>>>
>>> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039
>>>
>>> WWW-Authenticate: Negotiate
>>>
>>> WWW-Authenticate: NTLM
>>>
>>>
>>>
>>> OpenCMIS
>>>
>>> GET http://<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>> spserver<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<
>> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
>>>
>>>
>>> User-Agent: Apache Chemistry OpenCMIS
>>>
>>> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04=
>>>
>>>
>>>
>>> IIS/SharePoint
>>>
>>> HTTP/1.1 401 Unauthorized
>>>
>>> Server: Microsoft-IIS/7.5
>>>
>>> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a
>>>
>>> WWW-Authenticate: NTLM Tl..............AA=
>>>
>>> WWW-Authenticate: Negotiate
>>>
>>>
>>>
>>> This keeps on going 39 times and finally OpenCMIS gives up
>>>
>>> Naresh
>>>
>>> On Fri, Sep 16, 2011 at 10:18 AM, Florian Müller <
>>> florian.mueller@alfresco.com> wrote:
>>>
>>>> Naresh,
>>>>
>>>> A few checkpoints:
>>>>
>>>> - Are you setting the NTLMAuthenticationProvider in the session
>> parameters?
>>>> - Follows the user name the pattern "<domain>\<login>"?
>>>> - Is this the only application in your Tomcat? If not, is there another
>>>> application that uses the java.net.Authenticator class?
>>>> - Does your application create multiple sessions with different users?
>>>> (That doesn't work with NTLM.)
>>>> - Does it fail immediately when it tries to retrieve the repository
>> infos?
>>>> If not, you are running in another known problem with NTLM. Some
>> operations
>>>> have to be repeated once in a while to work correctly.
>>>>
>>>> Again, NTLM is not a viable option for a production system.
>>>>
>>>>
>>>> - Florian
>>>>
>>>>
>>>> On 16/09/2011 02:54, Naresh Bhatia wrote:
>>>>> George,
>>>>>
>>>>> Per your suggestion, I used Fiddler to monitor the traffic between CMIS
>>>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS
>>>> program)
>>>>> is able to authenticate successfully in 2 tries. However I can't figure
>>>> out
>>>>> what credentials are being sent to SP as they are hashed or encrypted,
>>>> e.g.
>>>>>
>>>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04=
>>>>>
>>>>> How did you figure out what this means?
>>>>>
>>>>> Anyway, when I try the same experiment with OpenCMIS running on Tomcat,
>>>>> OpenCMIS tries 39 times to authenticate, but the server keeps on
>>>> returning
>>>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers are
>>>>> encrypted, so I really don's know what OpenCMIS is trying to do.
>>>>>
>>>>> Any further pointers on this issue?
>>>>>
>>>>> Thanks.
>>>>> Naresh
>>>>>
>>>>>
>>>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George <
>>>>> George.Florentine@flatironssolutions.com> wrote:
>>>>>
>>>>>> Naresh, I'd suggest using Wireshark or some other network protocol
>>>> analyzer
>>>>>> to look at the packets going between your application and the
>> SharePoint
>>>>>> CMIS producer endpoint. I found that very useful when trying to debug
>>>>>> authorization issues between the OpenCMIS client and the SP server.
>> For
>>>>>> example, I discovered that when you specify NTLM as the authentication
>>>>>> mechanism, the OpenCMIS client tries to first send the credentials
of
>>>> the
>>>>>> process persona your web is running in on your app server before
it
>>>> sends
>>>>>> the credentials you specify in your code. I would never have figured
>>>> that
>>>>>> out without looking at network packets...You might also want to post
>> to
>>>> the
>>>>>> group what calls you're making to the OpenCMIS classes to set
>>>> authorization
>>>>>> type and creds. That info will be useful in determining why your
app
>> is
>>>>>> behaving differently from the CMIS Workbench client.
>>>>>>
>>>>>> thx,
>>>>>>
>>>>>> g
>>>>>> ---
>>>>>>
>>>>>>
>>>>>> George Florentine
>>>>>>
>>>>>> VP, Engineering
>>>>>>
>>>>>> +1 (303) 542-2173  |  Office
>>>>>> +1 (303) 669-8628  |  Cell
>>>>>> +1 (303) 544-0522  |  Fax
>>>>>>
>>>>>> george.florentine@flatironssolutions.com
>>>>>>
>>>>>> http://www.flatironssolutions.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>> Sent: Wednesday, September 07, 2011 6:50 PM
>>>>>> To: dev@chemistry.apache.org
>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
>>>>>>
>>>>>> Jérôme,
>>>>>>
>>>>>> I made quite a bit of progress based on your suggestions. I have
>> figured
>>>>>> out
>>>>>> what my Library Id is. I can access the library using the CMIS
>> Workbench
>>>>>> and
>>>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot
get
>> it
>>>> to
>>>>>> work through my web application - it is giving me
>>>>>> a CmisUnauthorizedException:
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException:
>>>>>> Unauthorized
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64)
>>>>>> at
>>>>>>
>>>>>>
>>>>
>> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69)
>>>>>>
>>>>>> The parameters I am passing to SessionFactory.createSession() are
>>>> exactly
>>>>>> the same as what I pass to my standalone app, so I can't understand
>> why
>>>> I
>>>>>> get the CmisUnauthorizedException.
>>>>>>
>>>>>> Another interesting thing is that my standalone program (and CMIS
>>>>>> Workbench)
>>>>>> can access SharePoint even if I don't pass a username and password.
>>>> That's
>>>>>> really puzzling.
>>>>>>
>>>>>> Anything you can make out of this?
>>>>>>
>>>>>> Thanks.
>>>>>> Naresh
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Sep 2, 2011 at 3:44 PM, Jérome Simard <jsimard@xybion.com>
>>>> wrote:
>>>>>>
>>>>>>> Naresh,
>>>>>>>
>>>>>>> Sorry I meant Library id.
>>>>>>>
>>>>>>> Your best bet would be to use the CMIS Workbench to connect to
>>>> SharePoint
>>>>>>> using the webservice binding, once connected you will see the
Library
>>>> ID
>>>>>> of
>>>>>>> all the available SharePoint libraries. It should have this form
>>>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f.
>>>>>>>
>>>>>>> Good luck,
>>>>>>> Jérôme
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>>> Sent: 2 septembre 2011 15:36
>>>>>>> To: dev@chemistry.apache.org
>>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using
OpenCMIS
>>>>>>>
>>>>>>> Thanks so much Jérôme. I will give it a shot.
>>>>>>>
>>>>>>> What is a Site ID btw?
>>>>>>>
>>>>>>> Naresh
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Sep 2, 2011 at 3:23 PM, Jérome Simard <jsimard@xybion.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Naresh,
>>>>>>>>
>>>>>>>> You must use the same URL for each services, i.e
>>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx
>>>>>>>>
>>>>>>>> To use the AtomPub binding, your URL should include the Site
ID,
>> like
>>>>>>> this:
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Jérôme
>>>>>>>>
>>>>>>>>
>>>>>>>> Jérôme Simard
>>>>>>>> Principal Software Architect  |  T 418-525-0606 #2264  |
 F
>>>>>> 418-525-0909
>>>>>>>> 400, boul. Jean-Lesage, Suite 38  |  Québec, QC, Canada,
G1K 8W1  |
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>>>> Sent: 2 septembre 2011 15:09
>>>>>>>> To: dev
>>>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using
OpenCMIS
>>>>>>>>
>>>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS.
I was
>> given
>>>> a
>>>>>>> URL
>>>>>>>> for the WSDL by my sysadmin (something like
>>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately,
it
>> looks
>>>>>>> like
>>>>>>>> the URL have a combined WSDL for all CMIS services. Looking
at this
>>>>>>>> OpenCMIS
>>>>>>>> example<
>>>>>>>>
>> http://chemistry.apache.org/java/examples/example-create-session.html
>>>>>>> ,
>>>>>>>> it appears that I need one URL per service.
>>>>>>>>
>>>>>>>>
>>>>>>>>    1. How do I go about connecting to Sharepoint using this
combined
>>>>>>> WSDL?
>>>>>>>>    Does Sharepoint also publish separate WSDLs as shown in
the
>>>> example.
>>>>>>>>    2. Does sharepoint support AtomPub?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> Naresh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>


Mime
View raw message