This is the wrong mailing list for SharePoint configuration questions. ;-) I think it is possible, but you should talk to a SharePoint expert.
Also, turn cookies on. (The OpenCMIS 0.5.0 release should be available in a few days.) Florian On 16/09/2011 19:38, Naresh Bhatia wrote: > Thanks Florian - this is VERY helpful. Do you know if SharePoint can be > configured to handle Basic Authentication in addition to NTLM, or does it > have to be only one of the two. > > Thanks. > Naresh > > > > On Fri, Sep 16, 2011 at 12:12 PM, Florian Müller < > [email protected]> wrote: > >> Hi Naresh, >> >> There are multiple issues with NTML. Some are related to how NTLM is >> handled in Java; some are related to the combination of NTLM and chunking. >> >> Unfortunately, there is only one static java.net.Authenticator object in >> Java, that is responsible for the NTML credentials. >> If there is only one user (-> CMIS Workbench) than this limitation is no >> problem. If the application should be able to connect with multiple users, >> that this becomes a major issue. >> The only information the Authenticator object gets, when it is asked for >> credentials, is the URL. Since the CMIS URLs are all the same for all users, >> there is no way to pick the right credentials. >> That's a road block for your use-case. >> >> The second problem is chucking. OpenCMIS is optimized for handling really >> big documents. It doesn't buffer the documents, it streams them directly to >> the repository. In order to do that it sends the documents in chunks. >> NTLM authenticates TCP connections, not requests. If such a request with >> chucks hits an unauthenticated TCP connection, it fails. The next attempt >> will probably work because the connection will be authenticated after the >> failure. >> There would be ways to avoid this and make sure that all connections are >> always authenticated with the right user but nobody has written this code >> for OpenCMIS yet. >> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue >> when OpenCMIS talks to SharePoint, but that hasn't been verified. >> >> Conclusion: NTML makes more or less sense for web browsers. It is less than >> optimal for APIs - especially when you are connecting from Java. >> The only viable solution is to reconfigure the SharePoint server to accept >> basic authentication. >> >> >> Florian >> >> >> >> On 16/09/2011 16:15, Naresh Bhatia wrote: >>> Hi Florian, >>> >>> My responses below: >>> >>> - Are you setting the NTLMAuthenticationProvider in the session >> parameters? >>> >>> Yes, this is how I am doing it: >>> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS, >>> >>> >> "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider"); >>> >>> - Follows the user name the pattern "<domain>\<login>"? >>> Tried it with and without the domain name. >>> >>> - Is this the only application in your Tomcat? If not, is there another >>> application that uses the java.net.Authenticator class? >>> This is the only app. >>> >>> - Does your application create multiple sessions with different users? >> (That >>> doesn't work with NTLM.) >>> That is the ultimate intent, but for the purpose of my test I am the only >>> user. Could you please expand on why NTLM wouldn't work with multiple >> users? >>> Is it not designed for this use case? (I have no expertise in NTLM). Also >> I >>> found that IE was able to connect to the SharePoint instance without >> asking >>> for username/password, whereas Firefox was not able to do this. My >>> understanding is that NTLM uses the logged in user's credentials. So does >> it >>> even accept username/password? >>> >>> >>> - Does it fail immediately when it tries to retrieve the repository >> infos? >>> If not, you are running in another known problem with NTLM. Some >> operations >>> have to be repeated once in a while to work correctly. >>> >>> Don't understand what you mean by failing immediately. This is what I am >>> seeing (some items truncated) >>> >>> OpenCMIS >>> >>> GET >>> >> http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 >> < >> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 >>> >>> >>> >>> >>> IIS/SharePoint >>> >>> HTTP/1.1 401 Unauthorized >>> >>> Server: Microsoft-IIS/7.5 >>> >>> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039 >>> >>> WWW-Authenticate: Negotiate >>> >>> WWW-Authenticate: NTLM >>> >>> >>> >>> OpenCMIS >>> >>> GET http://< >> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 >>> >>> spserver< >> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 >>> >>> >> /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6< >> http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 >>> >>> >>> User-Agent: Apache Chemistry OpenCMIS >>> >>> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04= >>> >>> >>> >>> IIS/SharePoint >>> >>> HTTP/1.1 401 Unauthorized >>> >>> Server: Microsoft-IIS/7.5 >>> >>> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a >>> >>> WWW-Authenticate: NTLM Tl..............AA= >>> >>> WWW-Authenticate: Negotiate >>> >>> >>> >>> This keeps on going 39 times and finally OpenCMIS gives up >>> >>> Naresh >>> >>> On Fri, Sep 16, 2011 at 10:18 AM, Florian Müller < >>> [email protected]> wrote: >>> >>>> Naresh, >>>> >>>> A few checkpoints: >>>> >>>> - Are you setting the NTLMAuthenticationProvider in the session >> parameters? >>>> - Follows the user name the pattern "<domain>\<login>"? >>>> - Is this the only application in your Tomcat? If not, is there another >>>> application that uses the java.net.Authenticator class? >>>> - Does your application create multiple sessions with different users? >>>> (That doesn't work with NTLM.) >>>> - Does it fail immediately when it tries to retrieve the repository >> infos? >>>> If not, you are running in another known problem with NTLM. Some >> operations >>>> have to be repeated once in a while to work correctly. >>>> >>>> Again, NTLM is not a viable option for a production system. >>>> >>>> >>>> - Florian >>>> >>>> >>>> On 16/09/2011 02:54, Naresh Bhatia wrote: >>>>> George, >>>>> >>>>> Per your suggestion, I used Fiddler to monitor the traffic between CMIS >>>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS >>>> program) >>>>> is able to authenticate successfully in 2 tries. However I can't figure >>>> out >>>>> what credentials are being sent to SP as they are hashed or encrypted, >>>> e.g. >>>>> >>>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04= >>>>> >>>>> How did you figure out what this means? >>>>> >>>>> Anyway, when I try the same experiment with OpenCMIS running on Tomcat, >>>>> OpenCMIS tries 39 times to authenticate, but the server keeps on >>>> returning >>>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers are >>>>> encrypted, so I really don's know what OpenCMIS is trying to do. >>>>> >>>>> Any further pointers on this issue? >>>>> >>>>> Thanks. >>>>> Naresh >>>>> >>>>> >>>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George < >>>>> [email protected]> wrote: >>>>> >>>>>> Naresh, I'd suggest using Wireshark or some other network protocol >>>> analyzer >>>>>> to look at the packets going between your application and the >> SharePoint >>>>>> CMIS producer endpoint. I found that very useful when trying to debug >>>>>> authorization issues between the OpenCMIS client and the SP server. >> For >>>>>> example, I discovered that when you specify NTLM as the authentication >>>>>> mechanism, the OpenCMIS client tries to first send the credentials of >>>> the >>>>>> process persona your web is running in on your app server before it >>>> sends >>>>>> the credentials you specify in your code. I would never have figured >>>> that >>>>>> out without looking at network packets...You might also want to post >> to >>>> the >>>>>> group what calls you're making to the OpenCMIS classes to set >>>> authorization >>>>>> type and creds. That info will be useful in determining why your app >> is >>>>>> behaving differently from the CMIS Workbench client. >>>>>> >>>>>> thx, >>>>>> >>>>>> g >>>>>> --- >>>>>> >>>>>> >>>>>> George Florentine >>>>>> >>>>>> VP, Engineering >>>>>> >>>>>> +1 (303) 542-2173 | Office >>>>>> +1 (303) 669-8628 | Cell >>>>>> +1 (303) 544-0522 | Fax >>>>>> >>>>>> [email protected] >>>>>> >>>>>> http://www.flatironssolutions.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: Naresh Bhatia [mailto:[email protected]] >>>>>> Sent: Wednesday, September 07, 2011 6:50 PM >>>>>> To: [email protected] >>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS >>>>>> >>>>>> Jérôme, >>>>>> >>>>>> I made quite a bit of progress based on your suggestions. I have >> figured >>>>>> out >>>>>> what my Library Id is. I can access the library using the CMIS >> Workbench >>>>>> and >>>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot get >> it >>>> to >>>>>> work through my web application - it is giving me >>>>>> a CmisUnauthorizedException: >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException: >>>>>> Unauthorized >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92) >>>>>> at >>>>>> >>>>>> >>>> >> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64) >>>>>> at >>>>>> >>>>>> >>>> >> com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69) >>>>>> >>>>>> The parameters I am passing to SessionFactory.createSession() are >>>> exactly >>>>>> the same as what I pass to my standalone app, so I can't understand >> why >>>> I >>>>>> get the CmisUnauthorizedException. >>>>>> >>>>>> Another interesting thing is that my standalone program (and CMIS >>>>>> Workbench) >>>>>> can access SharePoint even if I don't pass a username and password. >>>> That's >>>>>> really puzzling. >>>>>> >>>>>> Anything you can make out of this? >>>>>> >>>>>> Thanks. >>>>>> Naresh >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Sep 2, 2011 at 3:44 PM, Jérome Simard <[email protected]> >>>> wrote: >>>>>> >>>>>>> Naresh, >>>>>>> >>>>>>> Sorry I meant Library id. >>>>>>> >>>>>>> Your best bet would be to use the CMIS Workbench to connect to >>>> SharePoint >>>>>>> using the webservice binding, once connected you will see the Library >>>> ID >>>>>> of >>>>>>> all the available SharePoint libraries. It should have this form >>>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f. >>>>>>> >>>>>>> Good luck, >>>>>>> Jérôme >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Naresh Bhatia [mailto:[email protected]] >>>>>>> Sent: 2 septembre 2011 15:36 >>>>>>> To: [email protected] >>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS >>>>>>> >>>>>>> Thanks so much Jérôme. I will give it a shot. >>>>>>> >>>>>>> What is a Site ID btw? >>>>>>> >>>>>>> Naresh >>>>>>> >>>>>>> >>>>>>> On Fri, Sep 2, 2011 at 3:23 PM, Jérome Simard <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>>> Hi Naresh, >>>>>>>> >>>>>>>> You must use the same URL for each services, i.e >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx >>>>>>>> >>>>>>>> To use the AtomPub binding, your URL should include the Site ID, >> like >>>>>>> this: >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >> http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jérôme >>>>>>>> >>>>>>>> >>>>>>>> Jérôme Simard >>>>>>>> Principal Software Architect | T 418-525-0606 #2264 | F >>>>>> 418-525-0909 >>>>>>>> 400, boul. Jean-Lesage, Suite 38 | Québec, QC, Canada, G1K 8W1 | >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Naresh Bhatia [mailto:[email protected]] >>>>>>>> Sent: 2 septembre 2011 15:09 >>>>>>>> To: dev >>>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using OpenCMIS >>>>>>>> >>>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS. I was >> given >>>> a >>>>>>> URL >>>>>>>> for the WSDL by my sysadmin (something like >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately, it >> looks >>>>>>> like >>>>>>>> the URL have a combined WSDL for all CMIS services. Looking at this >>>>>>>> OpenCMIS >>>>>>>> example< >>>>>>>> >> http://chemistry.apache.org/java/examples/example-create-session.html >>>>>>> , >>>>>>>> it appears that I need one URL per service. >>>>>>>> >>>>>>>> >>>>>>>> 1. How do I go about connecting to Sharepoint using this combined >>>>>>> WSDL? >>>>>>>> Does Sharepoint also publish separate WSDLs as shown in the >>>> example. >>>>>>>> 2. Does sharepoint support AtomPub? >>>>>>>> >>>>>>>> >>>>>>>> Thanks. >>>>>>>> Naresh >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >> >> >
