This is awesome George! Thanks so much. Can wait to try out all these goodies!
Have a great weekend. Naresh On Fri, Sep 16, 2011 at 4:54 PM, Florentine, George < [email protected]> wrote: > Naresh, a bit more ammunition for you :) We're using OpenCMIS to talk to > SharePoint using Basic Authentication. You turn Basic authentication on in > the IIS manager for the SP site. Once that's on, you can use this type of > code to tell OpenCMIS to use Basic Authentication and cookies: > > // enable cookies > CookieManager cm = new CookieManager(); > CookieHandler.setDefault(cm); > > SessionFactory sessionFactory = > SessionFactoryImpl.newInstance(); > parameters.put(SessionParameter.USER, user); > parameters.put(SessionParameter.PASSWORD, pass); > parameters.put(SessionParameter.ATOMPUB_URL, repoURI); > parameters.put(SessionParameter.AUTH_HTTP_BASIC, "true"); > > parameters.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS, > CmisBindingFactory.STANDARD_AUTHENTICATION_PROVIDER); > > I'd re-emphasize what Florian's already mentioned - if the SP site is part > of a domain, you'll want to pass user creds in the form domain\user_name. > Also, I think the cookie support in 0.5.0 would be useful to you. In our > testing, once SP authenticates you using Basic Authentication it sends back > a cookie for use in subsequent messages. Having that in your subsequent > response should speed up the overall messaging between your code and the SP > server. > > thx, > > g > --- > > > George Florentine > > VP, Engineering > > +1 (303) 542-2173 | Office > +1 (303) 669-8628 | Cell > +1 (303) 544-0522 | Fax > > [email protected] > > http://www.flatironssolutions.com > > > > > > > > > > -----Original Message----- > From: Florian Müller [mailto:[email protected]] > Sent: Friday, September 16, 2011 12:59 PM > To: [email protected] > Cc: Naresh Bhatia > Subject: Re: Pointers on connecting to Sharepoint 2010 using OpenCMIS > > This is the wrong mailing list for SharePoint configuration questions. ;-) > I think it is possible, but you should talk to a SharePoint expert. > > Also, turn cookies on. (The OpenCMIS 0.5.0 release should be available in a > few days.) > > > Florian > > > On 16/09/2011 19:38, Naresh Bhatia wrote: > > Thanks Florian - this is VERY helpful. Do you know if SharePoint can be > > configured to handle Basic Authentication in addition to NTLM, or does it > > have to be only one of the two. > > > > Thanks. > > Naresh > > > > > > > > On Fri, Sep 16, 2011 at 12:12 PM, Florian Müller < > > [email protected]> wrote: > > > >> Hi Naresh, > >> > >> There are multiple issues with NTML. Some are related to how NTLM is > >> handled in Java; some are related to the combination of NTLM and > chunking. > >> > >> Unfortunately, there is only one static java.net.Authenticator object in > >> Java, that is responsible for the NTML credentials. > >> If there is only one user (-> CMIS Workbench) than this limitation is no > >> problem. If the application should be able to connect with multiple > users, > >> that this becomes a major issue. > >> The only information the Authenticator object gets, when it is asked for > >> credentials, is the URL. Since the CMIS URLs are all the same for all > users, > >> there is no way to pick the right credentials. > >> That's a road block for your use-case. > >> > >> The second problem is chucking. OpenCMIS is optimized for handling > really > >> big documents. It doesn't buffer the documents, it streams them directly > to > >> the repository. In order to do that it sends the documents in chunks. > >> NTLM authenticates TCP connections, not requests. If such a request with > >> chucks hits an unauthenticated TCP connection, it fails. The next > attempt > >> will probably work because the connection will be authenticated after > the > >> failure. > >> There would be ways to avoid this and make sure that all connections are > >> always authenticated with the right user but nobody has written this > code > >> for OpenCMIS yet. > >> The new cookie support in OpenCMIS 0.5.0 may solve this particular issue > >> when OpenCMIS talks to SharePoint, but that hasn't been verified. > >> > >> Conclusion: NTML makes more or less sense for web browsers. It is less > than > >> optimal for APIs - especially when you are connecting from Java. > >> The only viable solution is to reconfigure the SharePoint server to > accept > >> basic authentication. > >> > >> > >> Florian > >> > >> > >> > >> On 16/09/2011 16:15, Naresh Bhatia wrote: > >>> Hi Florian, > >>> > >>> My responses below: > >>> > >>> - Are you setting the NTLMAuthenticationProvider in the session > >> parameters? > >>> > >>> Yes, this is how I am doing it: > >>> parameter.put(SessionParameter.AUTHENTICATION_PROVIDER_CLASS, > >>> > >>> > >> > "org.apache.chemistry.opencmis.client.bindings.spi.NTLMAuthenticationProvider"); > >>> > >>> - Follows the user name the pattern "<domain>\<login>"? > >>> Tried it with and without the domain name. > >>> > >>> - Is this the only application in your Tomcat? If not, is there another > >>> application that uses the java.net.Authenticator class? > >>> This is the only app. > >>> > >>> - Does your application create multiple sessions with different users? > >> (That > >>> doesn't work with NTLM.) > >>> That is the ultimate intent, but for the purpose of my test I am the > only > >>> user. Could you please expand on why NTLM wouldn't work with multiple > >> users? > >>> Is it not designed for this use case? (I have no expertise in NTLM). > Also > >> I > >>> found that IE was able to connect to the SharePoint instance without > >> asking > >>> for username/password, whereas Firefox was not able to do this. My > >>> understanding is that NTLM uses the logged in user's credentials. So > does > >> it > >>> even accept username/password? > >>> > >>> > >>> - Does it fail immediately when it tries to retrieve the repository > >> infos? > >>> If not, you are running in another known problem with NTLM. Some > >> operations > >>> have to be repeated once in a while to work correctly. > >>> > >>> Don't understand what you mean by failing immediately. This is what I > am > >>> seeing (some items truncated) > >>> > >>> OpenCMIS > >>> > >>> GET > >>> > >> > http://spserver/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 > >> < > >> > http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 > >>> > >>> > >>> > >>> > >>> IIS/SharePoint > >>> > >>> HTTP/1.1 401 Unauthorized > >>> > >>> Server: Microsoft-IIS/7.5 > >>> > >>> SPRequestGuid: 8cbad6ff-9285-4dac-b114-2e6250560039 > >>> > >>> WWW-Authenticate: Negotiate > >>> > >>> WWW-Authenticate: NTLM > >>> > >>> > >>> > >>> OpenCMIS > >>> > >>> GET http://< > >> > http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 > >>> > >>> spserver< > >> > http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 > >>> > >>> > >> > /_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6< > >> > http://mdctstwinsp1001/_vti_bin/cmis/rest/60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6?getrepositoryinfo&repositoryId=60dae9c3-b9b0-4cc7-90e4-3af5b6ff25f6 > >>> > >>> > >>> User-Agent: Apache Chemistry OpenCMIS > >>> > >>> Authorization: NTLM TlRMTVNTUAABAAA..............ExJTkdUT04= > >>> > >>> > >>> > >>> IIS/SharePoint > >>> > >>> HTTP/1.1 401 Unauthorized > >>> > >>> Server: Microsoft-IIS/7.5 > >>> > >>> SPRequestGuid: 6fba00b8-f55f-4374-98a1-bb2c3fcfc00a > >>> > >>> WWW-Authenticate: NTLM Tl..............AA= > >>> > >>> WWW-Authenticate: Negotiate > >>> > >>> > >>> > >>> This keeps on going 39 times and finally OpenCMIS gives up > >>> > >>> Naresh > >>> > >>> On Fri, Sep 16, 2011 at 10:18 AM, Florian Müller < > >>> [email protected]> wrote: > >>> > >>>> Naresh, > >>>> > >>>> A few checkpoints: > >>>> > >>>> - Are you setting the NTLMAuthenticationProvider in the session > >> parameters? > >>>> - Follows the user name the pattern "<domain>\<login>"? > >>>> - Is this the only application in your Tomcat? If not, is there > another > >>>> application that uses the java.net.Authenticator class? > >>>> - Does your application create multiple sessions with different users? > >>>> (That doesn't work with NTLM.) > >>>> - Does it fail immediately when it tries to retrieve the repository > >> infos? > >>>> If not, you are running in another known problem with NTLM. Some > >> operations > >>>> have to be repeated once in a while to work correctly. > >>>> > >>>> Again, NTLM is not a viable option for a production system. > >>>> > >>>> > >>>> - Florian > >>>> > >>>> > >>>> On 16/09/2011 02:54, Naresh Bhatia wrote: > >>>>> George, > >>>>> > >>>>> Per your suggestion, I used Fiddler to monitor the traffic between > CMIS > >>>>> Workbench and SP. CMIS workbench (as well as my standalone OpenCMIS > >>>> program) > >>>>> is able to authenticate successfully in 2 tries. However I can't > figure > >>>> out > >>>>> what credentials are being sent to SP as they are hashed or > encrypted, > >>>> e.g. > >>>>> > >>>>> Authorization: NTLM TlRMTVNTUAAB...EQ0RTSzAxQkhBVElOQVdFTExJTkdUT04= > >>>>> > >>>>> How did you figure out what this means? > >>>>> > >>>>> Anyway, when I try the same experiment with OpenCMIS running on > Tomcat, > >>>>> OpenCMIS tries 39 times to authenticate, but the server keeps on > >>>> returning > >>>>> 401's. OpenCMIS finally gives up. Again, the Authorization headers > are > >>>>> encrypted, so I really don's know what OpenCMIS is trying to do. > >>>>> > >>>>> Any further pointers on this issue? > >>>>> > >>>>> Thanks. > >>>>> Naresh > >>>>> > >>>>> > >>>>> On Thu, Sep 8, 2011 at 1:10 AM, Florentine, George < > >>>>> [email protected]> wrote: > >>>>> > >>>>>> Naresh, I'd suggest using Wireshark or some other network protocol > >>>> analyzer > >>>>>> to look at the packets going between your application and the > >> SharePoint > >>>>>> CMIS producer endpoint. I found that very useful when trying to > debug > >>>>>> authorization issues between the OpenCMIS client and the SP server. > >> For > >>>>>> example, I discovered that when you specify NTLM as the > authentication > >>>>>> mechanism, the OpenCMIS client tries to first send the credentials > of > >>>> the > >>>>>> process persona your web is running in on your app server before it > >>>> sends > >>>>>> the credentials you specify in your code. I would never have figured > >>>> that > >>>>>> out without looking at network packets...You might also want to post > >> to > >>>> the > >>>>>> group what calls you're making to the OpenCMIS classes to set > >>>> authorization > >>>>>> type and creds. That info will be useful in determining why your app > >> is > >>>>>> behaving differently from the CMIS Workbench client. > >>>>>> > >>>>>> thx, > >>>>>> > >>>>>> g > >>>>>> --- > >>>>>> > >>>>>> > >>>>>> George Florentine > >>>>>> > >>>>>> VP, Engineering > >>>>>> > >>>>>> +1 (303) 542-2173 | Office > >>>>>> +1 (303) 669-8628 | Cell > >>>>>> +1 (303) 544-0522 | Fax > >>>>>> > >>>>>> [email protected] > >>>>>> > >>>>>> http://www.flatironssolutions.com > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: Naresh Bhatia [mailto:[email protected]] > >>>>>> Sent: Wednesday, September 07, 2011 6:50 PM > >>>>>> To: [email protected] > >>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using > OpenCMIS > >>>>>> > >>>>>> Jérôme, > >>>>>> > >>>>>> I made quite a bit of progress based on your suggestions. I have > >> figured > >>>>>> out > >>>>>> what my Library Id is. I can access the library using the CMIS > >> Workbench > >>>>>> and > >>>>>> my own standalone OpenCMIS app. The last hurdle is that I cannot get > >> it > >>>> to > >>>>>> work through my web application - it is giving me > >>>>>> a CmisUnauthorizedException: > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException: > >>>>>> Unauthorized > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.convertStatusCode(AbstractAtomPubService.java:423) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.read(AbstractAtomPubService.java:552) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.bindings.spi.atompub.AbstractAtomPubService.getRepositoriesInternal(AbstractAtomPubService.java:716) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.bindings.spi.atompub.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:62) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfo(RepositoryServiceImpl.java:69) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.runtime.SessionImpl.connect(SessionImpl.java:610) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:92) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.createSession(SessionFactoryImpl.java:64) > >>>>>> at > >>>>>> > >>>>>> > >>>> > >> > com.wellmanage.wellington2go.domain.cmis.CmisSession.<init>(CmisSession.java:69) > >>>>>> > >>>>>> The parameters I am passing to SessionFactory.createSession() are > >>>> exactly > >>>>>> the same as what I pass to my standalone app, so I can't understand > >> why > >>>> I > >>>>>> get the CmisUnauthorizedException. > >>>>>> > >>>>>> Another interesting thing is that my standalone program (and CMIS > >>>>>> Workbench) > >>>>>> can access SharePoint even if I don't pass a username and password. > >>>> That's > >>>>>> really puzzling. > >>>>>> > >>>>>> Anything you can make out of this? > >>>>>> > >>>>>> Thanks. > >>>>>> Naresh > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Sep 2, 2011 at 3:44 PM, Jérome Simard <[email protected]> > >>>> wrote: > >>>>>> > >>>>>>> Naresh, > >>>>>>> > >>>>>>> Sorry I meant Library id. > >>>>>>> > >>>>>>> Your best bet would be to use the CMIS Workbench to connect to > >>>> SharePoint > >>>>>>> using the webservice binding, once connected you will see the > Library > >>>> ID > >>>>>> of > >>>>>>> all the available SharePoint libraries. It should have this form > >>>>>>> 2625c04a-8ec6-4e30-bcca-d7895e87c89f. > >>>>>>> > >>>>>>> Good luck, > >>>>>>> Jérôme > >>>>>>> > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: Naresh Bhatia [mailto:[email protected]] > >>>>>>> Sent: 2 septembre 2011 15:36 > >>>>>>> To: [email protected] > >>>>>>> Subject: Re: Pointers on connecting to Sharepoint 2010 using > OpenCMIS > >>>>>>> > >>>>>>> Thanks so much Jérôme. I will give it a shot. > >>>>>>> > >>>>>>> What is a Site ID btw? > >>>>>>> > >>>>>>> Naresh > >>>>>>> > >>>>>>> > >>>>>>> On Fri, Sep 2, 2011 at 3:23 PM, Jérome Simard <[email protected]> > >>>>>> wrote: > >>>>>>> > >>>>>>>> Hi Naresh, > >>>>>>>> > >>>>>>>> You must use the same URL for each services, i.e > >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx > >>>>>>>> > >>>>>>>> To use the AtomPub binding, your URL should include the Site ID, > >> like > >>>>>>> this: > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>> > >> > http://spserver/_vti_bin/cmis/rest/2625c04a-8ec6-4e30-bcca-d7895e87c89f?getrepositoryinfo > >>>>>>>> > >>>>>>>> Cheers, > >>>>>>>> Jérôme > >>>>>>>> > >>>>>>>> > >>>>>>>> Jérôme Simard > >>>>>>>> Principal Software Architect | T 418-525-0606 #2264 | F > >>>>>> 418-525-0909 > >>>>>>>> 400, boul. Jean-Lesage, Suite 38 | Québec, QC, Canada, G1K 8W1 > | > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: Naresh Bhatia [mailto:[email protected]] > >>>>>>>> Sent: 2 septembre 2011 15:09 > >>>>>>>> To: dev > >>>>>>>> Subject: Pointers on connecting to Sharepoint 2010 using OpenCMIS > >>>>>>>> > >>>>>>>> I am trying to connect to Sharepoint 2010 using OpenCMIS. I was > >> given > >>>> a > >>>>>>> URL > >>>>>>>> for the WSDL by my sysadmin (something like > >>>>>>>> http://spserver/_vti_bin/CMISSoapwsdl.aspx). Unfortunately, it > >> looks > >>>>>>> like > >>>>>>>> the URL have a combined WSDL for all CMIS services. Looking at > this > >>>>>>>> OpenCMIS > >>>>>>>> example< > >>>>>>>> > >> http://chemistry.apache.org/java/examples/example-create-session.html > >>>>>>> , > >>>>>>>> it appears that I need one URL per service. > >>>>>>>> > >>>>>>>> > >>>>>>>> 1. How do I go about connecting to Sharepoint using this > combined > >>>>>>> WSDL? > >>>>>>>> Does Sharepoint also publish separate WSDLs as shown in the > >>>> example. > >>>>>>>> 2. Does sharepoint support AtomPub? > >>>>>>>> > >>>>>>>> > >>>>>>>> Thanks. > >>>>>>>> Naresh > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>>> > >>> > >> > >> > > > >
