On Jun 8, 2015, at 8:25 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> 
> On Mon, 08 Jun 2015, Timothy Worman wrote:
>> I have developed a java client that is able to successfully commit
>> transactions to FreeIPA using the json/rpc API. If it is useful, I
>> could abstract all this and package it up to share. But I am seeing
>> some interesting things - some of it may be my lack of experience using
>> HttpClient but I wanted to run it by the list to see what should be
>> expected.
>> 
>> I have been following Alexander’s guidelines
>> (https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions)
>> to develop this.
>> 
>> I am able to establish a kerberized connection to
>> https://hostname/ipa/session/login_kerberos with the HttpClient,
>> Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and
>> jaas config. The connection is successful and I am caching the
>> ipa-session cookie string for subsequent use (sending a second
>> command). I am performing this as a PrivilegedAction.
>> 
>> After successful authentication, I send a second transaction - a
>> typical “list users” json formatted command to the server at
>> https://hostname/ipa/json. I first attempted this without implementing
>> PrivilegedAction since Alexander’s guide indicated I did NOT need to do
>> any more authentication once  I had a session key. I added a cookie
>> header to a plain https transaction with the session cookie. This did
>> not work - which surprised me. The app actually prompted me at this
>> point for login credentials. Any thoughts here?
> You have to use session-enabled end point -- /ipa/session/json, not
> normal one. I think my article points out this clearly.

It probably does, and I probably missed it as people sometimes do. ;-) I will 
run some tests with this.

> I decided to create a new PrivilegedAction class to send subsequent
>> json transactions to the server. I moved my code for the 2nd connection
>> in there. This works. But as a test, I commented out instructions to
>> explicitly add the session cookie to the transaction. And it still
>> works. I found that I do not explicitly have to add the cookie header.
>> I am assuming that HttpClient natively handles cookies without explicit
>> interaction.
> Yes, HttpClient automatically parses cookies sent in responses and puts
> them into a cookie store. Unless you are explicitly managing the cookie
> store, the default is to use the same cookie store for all requests sent
> associated with the client instance.
> 
>> It does appear that I have a working client in any case.
> Great!

Yes. In further tests I’ve actually found I do not need the initial connection 
I spoke of. If I use HttpClient initialized as I described and simply post my 
json to https://hostname/ipa/json a connection is negotiated and the list users 
transaction appears to go through normally.

Alexander, your write-up was very helpful. Thanks.

> -- 
> / Alexander Bokovoy


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to