I have developed a java client that is able to successfully commit transactions 
to FreeIPA using the json/rpc API. If it is useful, I could abstract all this 
and package it up to share. But I am seeing some interesting things - some of 
it may be my lack of experience using HttpClient but I wanted to run it by the 
list to see what should be expected.

I have been following Alexander’s guidelines 
(https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) to 
develop this.

I am able to establish a kerberized connection to 
https://hostname/ipa/session/login_kerberos with the HttpClient, 
Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and jaas 
config. The connection is successful and I am caching the ipa-session cookie 
string for subsequent use (sending a second command). I am performing this as a 

After successful authentication, I send a second transaction - a typical “list 
users” json formatted command to the server at https://hostname/ipa/json. I 
first attempted this without implementing PrivilegedAction since Alexander’s 
guide indicated I did NOT need to do any more authentication once  I had a 
session key. I added a cookie header to a plain https transaction with the 
session cookie. This did not work - which surprised me. The app actually 
prompted me at this point for login credentials. Any thoughts here?

I decided to create a new PrivilegedAction class to send subsequent json 
transactions to the server. I moved my code for the 2nd connection in there. 
This works. But as a test, I commented out instructions to explicitly add the 
session cookie to the transaction. And it still works. I found that I do not 
explicitly have to add the cookie header. I am assuming that HttpClient 
natively handles cookies without explicit interaction.

Anyone with any HttpClient experience that could shed some light on some of the 
behaviors and whether they should be expected?

It does appear that I have a working client in any case.

Tim Worman

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to