Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@chemistry.apache.org
Received-SPF: pass (athena.apache.org: domain of bhatian@comcast.net
 designates 76.96.30.16 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <4E737572.30505@alfresco.com>
References: 
 <CB9D506EE06EAE469473CE4A7BE1E8340117B85F@schubert.amadeus-csi.com>
	<CAOKFrpVioXeupdfrqB3mT-XWrCMBqnEbZUOEjhbBM5VTHRW_ag@mail.gmail.com>
	<D0FBC87BF2331546B46CD3BC6BEDA1E267D5A48074@pyramidx64.flatironssolutions.com>
	<CAOKFrpV0BuFbMpz+aug4K=pz+RvDksz5gTZ07Xt1Y-gLZq6yYQ@mail.gmail.com>
	<4E735AA5.5010905@alfresco.com>
	<CAOKFrpUTBB4ogK9vB0Hc-HqoZd0bc7BCVmVcn48La0=JU+PQ=A@mail.gmail.com>
	<4E737572.30505@alfresco.com>
Date: Fri, 16 Sep 2011 14:38:23 -0400
Message-ID: 
 <CAOKFrpVjaYq0Jy9VmZa8+vNQvS28EB1s7zcYA8eoOTiKe4-bCg@mail.gmail.com>
Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS
From: Naresh Bhatia <bhatian@comcast.net>
To: dev@chemistry.apache.org
Content-Type: multipart/alternative; boundary=00221597584a56afda04ad134c8e

--00221597584a56afda04ad134c8e
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Thanks Florian - this is VERY helpful. Do you know if SharePoint can be
configured to handle Basic Authentication in addition to NTLM, or does it
have to be only one of the two.

Thanks.
Naresh


On Fri, Sep 16, 2011 at 12:12 PM, Florian M=FCller <
florian.mueller@alfresco.com> wrote:

> Hi Naresh,
>
> There are multiple issues with NTML. Some are related to how NTLM is
> handled in Java; some are related to the combination of NTLM and chunking=
.
>
> Unfortunately, there is only one static java.net.Authenticator object in
> Java, that is responsible for the NTML credentials.
> If there is only one user (-> CMIS Workbench) than this limitation is no
> problem. If the application should be able to connect with multiple users=
,
> that this becomes a major issue.
> The only information the Authenticator object gets, when it is asked for
> credentials, is the URL. Since the CMIS URLs are all the same for all use=
rs,
> there is no way to pick the right credentials.
> That's a road block for your use-case.
>
> The second problem is chucking. OpenCMIS is optimized for handling really
> big documents. It doesn't buffer the documents, it streams them directly =
to
> the repository. In order to do that it sends the documents in chunks.
> NTLM authenticates TCP connections, not requests. If such a request with
> chucks hits an unauthenticated TCP connection, it fails. The next attempt
> will probably work because the connection will be authenticated after the
> failure.
> There would be ways to avoid this and make sure that all connections are
> always authenticated with the right user but nobody has written this code
> for OpenCMIS yet.
> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue
> when OpenCMIS talks to SharePoint, but that hasn't been verified.
>
> Conclusion: NTML makes more or less sense for web browsers. It is less th=
an
> optimal for APIs - especially when you are connecting from Java.
> The only viable solution is to reconfigure the SharePoint server to accep=
t
> basic authentication.
>
>
> Florian
>
>
>
> On 16/09/2011 16:15, Naresh Bhatia wrote:
> > Hi Florian,
> >
> > My responses below:
> >
> > - Are you setting the NTLMAuthenticationProvider in the session
> parameters?
> >
> > Yes, this is how I am doing it:
> > parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS,
> >
> >
> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProv=
ider");
> >
> > - Follows the user name the pattern "<domain>\<login>"?
> > Tried it with and without the domain name.
> >
> > - Is this the only application in your Tomcat? If not, is there another
> > application that uses the java.net.Authenticator class?
> > This is the only app.
> >
> > - Does your application create multiple sessions with different users?
> (That
> > doesn't work with NTLM.)
> > That is the ultimate intent, but for the purpose of my test I am the on=
ly
> > user. Could you please expand on why NTLM wouldn't work with multiple
> users?
> > Is it not designed for this use case? (I have no expertise in NTLM). Al=
so
> I
> > found that IE was able to connect to the SharePoint instance without
> asking
> > for username/password, whereas Firefox was not able to do this. My
> > understanding is that NTLM uses the logged in user's credentials. So do=
es
> it
> > even accept username/password?
> >
> >
> > - Does it fail immediately when it tries to retrieve the repository
> infos?
> > If not, you are running in another known problem with NTLM. Some
> operations
> > have to be repeated once in a while to work correctly.
> >
> > Don't understand what you mean by failing immediately. This is what I a=
m
> > seeing (some items truncated)
> >
> > OpenCMIS
> >
> > GET
> >
> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?g=
etrepositoryinfo&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> <
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6f=
f25f6?getrepositoryinfo&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >
> >
> >
> >
> > IIS/SharePoint
> >
> > HTTP/1.1 401 Unauthorized
> >
> > Server: Microsoft-IIS/7.5
> >
> > SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039
> >
> > WWW-Authenticate: Negotiate
> >
> > WWW-Authenticate: NTLM
> >
> >
> >
> > OpenCMIS
> >
> > GET http://<
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6f=
f25f6?getrepositoryinfo&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >
> > spserver<
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6f=
f25f6?getrepositoryinfo&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >
> >
> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinf=
o&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6<
> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6f=
f25f6?getrepositoryinfo&repositoryId=3D60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6
> >
> >
> > User-Agent: Apache Chemistry OpenCMIS
> >
> > Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04=3D
> >
> >
> >
> > IIS/SharePoint
> >
> > HTTP/1.1 401 Unauthorized
> >
> > Server: Microsoft-IIS/7.5
> >
> > SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a
> >
> > WWW-Authenticate: NTLM Tl..............AA=3D
> >
> > WWW-Authenticate: Negotiate
> >
> >
> >
> > This keeps on going 39 times and finally OpenCMIS gives up
> >
> > Naresh
> >
> > On Fri, Sep 16, 2011 at 10:18 AM, Florian M=FCller <
> > florian.mueller@alfresco.com> wrote:
> >
> >> Naresh,
> >>
> >> A few checkpoints:
> >>
> >> - Are you setting the NTLMAuthenticationProvider in the session
> parameters?
> >> - Follows the user name the pattern "<domain>\<login>"?
> >> - Is this the only application in your Tomcat? If not, is there anothe=
r
> >> application that uses the java.net.Authenticator class?
> >> - Does your application create multiple sessions with different users?
> >> (That doesn't work with NTLM.)
> >> - Does it fail immediately when it tries to retrieve the repository
> infos?
> >> If not, you are running in another known problem with NTLM. Some
> operations
> >> have to be repeated once in a while to work correctly.
> >>
> >> Again, NTLM is not a viable option for a production system.
> >>
> >>
> >> - Florian
> >>
> >>
> >> On 16/09/2011 02:54, Naresh Bhatia wrote:
> >>> George,
> >>>
> >>> Per your suggestion, I used Fiddler to monitor the traffic between CM=
IS
> >>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS
> >> program)
> >>> is able to authenticate successfully in 2 tries. However I can't figu=
re
> >> out
> >>> what credentials are being sent to SP as they are hashed or encrypted=
,
> >> e.g.
> >>>
> >>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04=
=3D
> >>>
> >>> How did you figure out what this means?
> >>>
> >>> Anyway, when I try the same experiment with OpenCMIS running on Tomca=
t,
> >>> OpenCMIS tries 39 times to authenticate, but the server keeps on
> >> returning
> >>> 401's. OpenCMIS finally gives up. Again, the Authorization headers ar=
e
> >>> encrypted, so I really don's know what OpenCMIS is trying to do.
> >>>
> >>> Any further pointers on this issue?
> >>>
> >>> Thanks.
> >>> Naresh
> >>>
> >>>
> >>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George <
> >>> George.Florentine@flatironssolutions.com> wrote:
> >>>
> >>>> Naresh, I'd suggest using Wireshark or some other network protocol
> >> analyzer
> >>>> to look at the packets going between your application and the
> SharePoint
> >>>> CMIS producer endpoint. I found that very useful when trying to debu=
g
> >>>> authorization issues between the OpenCMIS client and the SP server.
> For
> >>>> example, I discovered that when you specify NTLM as the authenticati=
on
> >>>> mechanism, the OpenCMIS client tries to first send the credentials o=
f
> >> the
> >>>> process persona your web is running in on your app server before it
> >> sends
> >>>> the credentials you specify in your code. I would never have figured
> >> that
> >>>> out without looking at network packets...You might also want to post
> to
> >> the
> >>>> group what calls you're making to the OpenCMIS classes to set
> >> authorization
> >>>> type and creds. That info will be useful in determining why your app
> is
> >>>> behaving differently from the CMIS Workbench client.
> >>>>
> >>>> thx,
> >>>>
> >>>> g
> >>>> ---
> >>>>
> >>>>
> >>>> George Florentine
> >>>>
> >>>> VP, Engineering
> >>>>
> >>>> +1 (303) 542-2173  |  Office
> >>>> +1 (303) 669-8628  |  Cell
> >>>> +1 (303) 544-0522  |  Fax
> >>>>
> >>>> george.florentine@flatironssolutions.com
> >>>>
> >>>> http://www.flatironssolutions.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> -----Original Message-----
> >>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>> Sent: Wednesday, September 07, 2011 6:50 PM
> >>>> To: dev@chemistry.apache.org
> >>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMI=
S
> >>>>
> >>>> J=E9r=F4me,
> >>>>
> >>>> I made quite a bit of progress based on your suggestions. I have
> figured
> >>>> out
> >>>> what my Library Id is. I can access the library using the CMIS
> Workbench
> >>>> and
> >>>> my own standalone OpenCMIS app. The last hurdle is that I cannot get
> it
> >> to
> >>>> work through my web application - it is giving me
> >>>> a CmisUnauthorizedException:
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedExceptio=
n:
> >>>> Unauthorized
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPub=
Service.convertStatusCode(AbstractAtomPubService.java:423)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPub=
Service.read(AbstractAtomPubService.java:552)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPub=
Service.getRepositoriesInternal(AbstractAtomPubService.java:716)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServi=
ceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.=
getRepositoryInfo(RepositoryServiceImpl.java:69)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionI=
mpl.java:610)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSes=
sion(SessionFactoryImpl.java:92)
> >>>> at
> >>>>
> >>>>
> >>
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSes=
sion(SessionFactoryImpl.java:64)
> >>>> at
> >>>>
> >>>>
> >>
> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.j=
ava:69)
> >>>>
> >>>> The parameters I am passing to SessionFactory.createSession() are
> >> exactly
> >>>> the same as what I pass to my standalone app, so I can't understand
> why
> >> I
> >>>> get the CmisUnauthorizedException.
> >>>>
> >>>> Another interesting thing is that my standalone program (and CMIS
> >>>> Workbench)
> >>>> can access SharePoint even if I don't pass a username and password.
> >> That's
> >>>> really puzzling.
> >>>>
> >>>> Anything you can make out of this?
> >>>>
> >>>> Thanks.
> >>>> Naresh
> >>>>
> >>>>
> >>>>
> >>>> On Fri, Sep 2, 2011 at 3:44 PM, J=E9rome Simard <jsimard@xybion.com>
> >> wrote:
> >>>>
> >>>>> Naresh,
> >>>>>
> >>>>> Sorry I meant Library id.
> >>>>>
> >>>>> Your best bet would be to use the CMIS Workbench to connect to
> >> SharePoint
> >>>>> using the webservice binding, once connected you will see the Libra=
ry
> >> ID
> >>>> of
> >>>>> all the available SharePoint libraries. It should have this form
> >>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f.
> >>>>>
> >>>>> Good luck,
> >>>>> J=E9r=F4me
> >>>>>
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>>> Sent: 2 septembre 2011 15:36
> >>>>> To: dev@chemistry.apache.org
> >>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCM=
IS
> >>>>>
> >>>>> Thanks so much J=E9r=F4me. I will give it a shot.
> >>>>>
> >>>>> What is a Site ID btw?
> >>>>>
> >>>>> Naresh
> >>>>>
> >>>>>
> >>>>> On Fri, Sep 2, 2011 at 3:23 PM, J=E9rome Simard <jsimard@xybion.com=
>
> >>>> wrote:
> >>>>>
> >>>>>> Hi Naresh,
> >>>>>>
> >>>>>> You must use the same URL for each services, i.e
> >>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx
> >>>>>>
> >>>>>> To use the AtomPub binding, your URL should include the Site ID,
> like
> >>>>> this:
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?g=
etrepositoryinfo
> >>>>>>
> >>>>>> Cheers,
> >>>>>> J=E9r=F4me
> >>>>>>
> >>>>>>
> >>>>>> J=E9r=F4me Simard
> >>>>>> Principal Software Architect  |  T 418-525-0606 #2264  |  F
> >>>> 418-525-0909
> >>>>>> 400, boul. Jean-Lesage, Suite 38  |  Qu=E9bec, QC, Canada, G1K 8W1=
  |
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Naresh Bhatia [mailto:bhatian@comcast.net]
> >>>>>> Sent: 2 septembre 2011 15:09
> >>>>>> To: dev
> >>>>>> Subject: Pointers on connecting to Sharepoint 2010 using OpenCMIS
> >>>>>>
> >>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS. I was
> given
> >> a
> >>>>> URL
> >>>>>> for the WSDL by my sysadmin (something like
> >>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately, it
> looks
> >>>>> like
> >>>>>> the URL have a combined WSDL for all CMIS services. Looking at thi=
s
> >>>>>> OpenCMIS
> >>>>>> example<
> >>>>>>
> http://chemistry.apache.org/java/examples/example-create-session.html
> >>>>> ,
> >>>>>> it appears that I need one URL per service.
> >>>>>>
> >>>>>>
> >>>>>>    1. How do I go about connecting to Sharepoint using this combin=
ed
> >>>>> WSDL?
> >>>>>>    Does Sharepoint also publish separate WSDLs as shown in the
> >> example.
> >>>>>>    2. Does sharepoint support AtomPub?
> >>>>>>
> >>>>>>
> >>>>>> Thanks.
> >>>>>> Naresh
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
> >
>
>

--00221597584a56afda04ad134c8e--