Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@chemistry.apache.org
Received-SPF: pass (nike.apache.org: domain of florian.mueller@alfresco.com
 designates 207.126.144.135 as permitted sender)
Message-ID: <4E737572.30505@alfresco.com>
Date: Fri, 16 Sep 2011 17:12:34 +0100
From: =?ISO-8859-1?Q?Florian_M=FCller?= <florian.mueller@alfresco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: dev@chemistry.apache.org
CC: Naresh Bhatia <bhatian@comcast.net>
Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
References: 
 <CB9D506EE06EAE469473CE4A7BE1E8340117B85F@schubert.amadeus-csi.com>
 <CAOKFrpVioXeupdfrqB3mT-XWrCMBqnEbZUOEjhbBM5VTHRW_ag@mail.gmail.com>
 <D0FBC87BF2331546B46CD3BC6BEDA1E267D5A48074@pyramidx64.flatironssolutions.com>
 <CAOKFrpV0BuFbMpz+aug4K=pz+RvDksz5gTZ07Xt1Y-gLZq6yYQ@mail.gmail.com>
 <4E735AA5.5010905@alfresco.com>
 <CAOKFrpUTBB4ogK9vB0Hc-HqoZd0bc7BCVmVcn48La0=JU+PQ=A@mail.gmail.com>
In-Reply-To: 
 <CAOKFrpUTBB4ogK9vB0Hc-HqoZd0bc7BCVmVcn48La0=JU+PQ=A@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Hi Naresh,

There are multiple issues with NTML. Some are related to how NTLM is handled in Java; some are related to the combination of NTLM and chunking.

Unfortunately, there is only one static java.net.Authenticator object in Java, that is responsible for the NTML credentials.
If there is only one user (-> CMIS Workbench) than this limitation is no problem. If the application should be able to connect with multiple users, that this becomes a major issue.
The only information the Authenticator object gets, when it is asked for credentials, is the URL. Since the CMIS URLs are all the same for all users, there is no way to pick the right credentials.
That's a road block for your use-case.

The second problem is chucking. OpenCMIS is optimized for handling really big documents. It doesn't buffer the documents, it streams them directly to the repository. In order to do that it sends the documents in chunks.
NTLM authenticates TCP connections, not requests. If such a request with chucks hits an unauthenticated TCP connection, it fails. The next attempt will probably work because the connection will be authenticated after the failure.
There would be ways to avoid this and make sure that all connections are always authenticated with the right user but nobody has written this code for OpenCMIS yet.
The new cookie support in OpenCMIS 0.5.0 may solve this particular issue when OpenCMIS talks to SharePoint, but that hasn't been verified.

Conclusion: NTML makes more or less sense for web browsers. It is less than optimal for APIs - especially when you are connecting from Java.
The only viable solution is to reconfigure the SharePoint server to accept basic authentication. 


Florian


On 16/09/2011 16:15, Naresh Bhatia wrote:
> Hi Florian,
> 
> My responses below:
> 
> - Are you setting the NTLMAuthenticationProvider in the session parameters?
> 
> Yes, this is how I am doing it:
> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS,
> 
> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider");
> 
> - Follows the user name the pattern "<domain>\<login>"?
> Tried it with and without the domain name.
> 
> - Is this the only application in your Tomcat? If not, is there another
> application that uses the java.net.Authenticator class?
> This is the only app.
> 
> - Does your application create multiple sessions with different users? (That
> doesn't work with NTLM.)
> That is the ultimate intent, but for the purpose of my test I am the only
> user. Could you please expand on why NTLM wouldn't work with multiple users?
> Is it not designed for this use case? (I have no expertise in NTLM). Also I
> found that IE was able to connect to the SharePoint instance without asking
> for username/password, whereas Firefox was not able to do this. My
> understanding is that NTLM uses the logged in user's credentials. So does it
> even accept username/password?
> 
> 
> - Does it fail immediately when it tries to retrieve the repository infos?
> If not, you are running in another known problem with NTLM. Some operations
> have to be repeated once in a while to work correctly.
> 
> Don't understand what you mean by failing immediately. This is what I am
> seeing (some items truncated)
> 
> OpenCMIS
> 
> GET
> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6>
> 
> 
> 
> IIS/SharePoint
> 
> HTTP/1.1 401 Unauthorized
> 
> Server: Microsoft-IIS/7.5
> 
> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039
> 
> WWW-Authenticate: Negotiate
> 
> WWW-Authenticate: NTLM
> 
> 
> 
> OpenCMIS
> 
> GET http://<http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6>
> spserver<http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6>
> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6>
> 
> User-Agent: Apache Chemistry OpenCMIS
> 
> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04=
> 
> 
> 
> IIS/SharePoint
> 
> HTTP/1.1 401 Unauthorized
> 
> Server: Microsoft-IIS/7.5
> 
> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a
> 
> WWW-Authenticate: NTLM Tl..............AA=
> 
> WWW-Authenticate: Negotiate
> 
> 
> 
> This keeps on going 39 times and finally OpenCMIS gives up
> 
> Naresh
> 
> On Fri, Sep 16, 2011 at 10:18 AM, Florian M�ller <
> florian.mueller@alfresco.com> wrote:
> 
>> Naresh,
>>
>> A few checkpoints:
>>
>> - Are you setting the NTLMAuthenticationProvider in the session parameters?
>> - Follows the user name the pattern "<domain>\<login>"?
>> - Is this the only application in your Tomcat? If not, is there another
>> application that uses the java.net.Authenticator class?
>> - Does your application create multiple sessions with different users?
>> (That doesn't work with NTLM.)
>> - Does it fail immediately when it tries to retrieve the repository infos?
>> If not, you are running in another known problem with NTLM. Some operations
>> have to be repeated once in a while to work correctly.
>>
>> Again, NTLM is not a viable option for a production system.
>>
>>
>> - Florian
>>
>>
>> On 16/09/2011 02:54, Naresh Bhatia wrote:
>>> George,
>>>
>>> Per your suggestion, I used Fiddler to monitor the traffic between CMIS
>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS
>> program)
>>> is able to authenticate successfully in 2 tries. However I can't figure
>> out
>>> what credentials are being sent to SP as they are hashed or encrypted,
>> e.g.
>>>
>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04=
>>>
>>> How did you figure out what this means?
>>>
>>> Anyway, when I try the same experiment with OpenCMIS running on Tomcat,
>>> OpenCMIS tries 39 times to authenticate, but the server keeps on
>> returning
>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers are
>>> encrypted, so I really don's know what OpenCMIS is trying to do.
>>>
>>> Any further pointers on this issue?
>>>
>>> Thanks.
>>> Naresh
>>>
>>>
>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George <
>>> George.Florentine@flatironssolutions.com> wrote:
>>>
>>>> Naresh, I'd suggest using Wireshark or some other network protocol
>> analyzer
>>>> to look at the packets going between your application and the SharePoint
>>>> CMIS producer endpoint. I found that very useful when trying to debug
>>>> authorization issues between the OpenCMIS client and the SP server. For
>>>> example, I discovered that when you specify NTLM as the authentication
>>>> mechanism, the OpenCMIS client tries to first send the credentials of
>> the
>>>> process persona your web is running in on your app server before it
>> sends
>>>> the credentials you specify in your code. I would never have figured
>> that
>>>> out without looking at network packets...You might also want to post to
>> the
>>>> group what calls you're making to the OpenCMIS classes to set
>> authorization
>>>> type and creds. That info will be useful in determining why your app is
>>>> behaving differently from the CMIS Workbench client.
>>>>
>>>> thx,
>>>>
>>>> g
>>>> ---
>>>>
>>>>
>>>> George Florentine
>>>>
>>>> VP, Engineering
>>>>
>>>> +1 (303) 542-2173  |  Office
>>>> +1 (303) 669-8628  |  Cell
>>>> +1 (303) 544-0522  |  Fax
>>>>
>>>> george.florentine@flatironssolutions.com
>>>>
>>>> http://www.flatironssolutions.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>> Sent: Wednesday, September 07, 2011 6:50 PM
>>>> To: dev@chemistry.apache.org
>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
>>>>
>>>> J�r�me,
>>>>
>>>> I made quite a bit of progress based on your suggestions. I have figured
>>>> out
>>>> what my Library Id is. I can access the library using the CMIS Workbench
>>>> and
>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot get it
>> to
>>>> work through my web application - it is giving me
>>>> a CmisUnauthorizedException:
>>>>
>>>>
>> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException:
>>>> Unauthorized
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92)
>>>> at
>>>>
>>>>
>> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64)
>>>> at
>>>>
>>>>
>> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69)
>>>>
>>>> The parameters I am passing to SessionFactory.createSession() are
>> exactly
>>>> the same as what I pass to my standalone app, so I can't understand why
>> I
>>>> get the CmisUnauthorizedException.
>>>>
>>>> Another interesting thing is that my standalone program (and CMIS
>>>> Workbench)
>>>> can access SharePoint even if I don't pass a username and password.
>> That's
>>>> really puzzling.
>>>>
>>>> Anything you can make out of this?
>>>>
>>>> Thanks.
>>>> Naresh
>>>>
>>>>
>>>>
>>>> On Fri, Sep 2, 2011 at 3:44 PM, J�rome Simard <jsimard@xybion.com>
>> wrote:
>>>>
>>>>> Naresh,
>>>>>
>>>>> Sorry I meant Library id.
>>>>>
>>>>> Your best bet would be to use the CMIS Workbench to connect to
>> SharePoint
>>>>> using the webservice binding, once connected you will see the Library
>> ID
>>>> of
>>>>> all the available SharePoint libraries. It should have this form
>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f.
>>>>>
>>>>> Good luck,
>>>>> J�r�me
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>> Sent: 2 septembre 2011 15:36
>>>>> To: dev@chemistry.apache.org
>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
>>>>>
>>>>> Thanks so much J�r�me. I will give it a shot.
>>>>>
>>>>> What is a Site ID btw?
>>>>>
>>>>> Naresh
>>>>>
>>>>>
>>>>> On Fri, Sep 2, 2011 at 3:23 PM, J�rome Simard <jsimard@xybion.com>
>>>> wrote:
>>>>>
>>>>>> Hi Naresh,
>>>>>>
>>>>>> You must use the same URL for each services, i.e
>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx
>>>>>>
>>>>>> To use the AtomPub binding, your URL should include the Site ID, like
>>>>> this:
>>>>>>
>>>>>>
>>>>>
>>>>
>> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo
>>>>>>
>>>>>> Cheers,
>>>>>> J�r�me
>>>>>>
>>>>>>
>>>>>> J�r�me Simard
>>>>>> Principal Software Architect  |  T 418-525-0606 #2264  |  F
>>>> 418-525-0909
>>>>>> 400, boul. Jean-Lesage, Suite 38  |  Qu�bec, QC, Canada, G1K 8W1  |
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
>>>>>> Sent: 2 septembre 2011 15:09
>>>>>> To: dev
>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using OpenCMIS
>>>>>>
>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS. I was given
>> a
>>>>> URL
>>>>>> for the WSDL by my sysadmin (something like
>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately, it looks
>>>>> like
>>>>>> the URL have a combined WSDL for all CMIS services. Looking at this
>>>>>> OpenCMIS
>>>>>> example<
>>>>>> http://chemistry.apache.org/java/examples/example-create-session.html
>>>>> ,
>>>>>> it appears that I need one URL per service.
>>>>>>
>>>>>>
>>>>>>    1. How do I go about connecting to Sharepoint using this combined
>>>>> WSDL?
>>>>>>    Does Sharepoint also publish separate WSDLs as shown in the
>> example.
>>>>>>    2. Does sharepoint support AtomPub?
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>> Naresh
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>