You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by Se...@wellsfargo.com on 2014/08/22 02:41:13 UTC
OpenCMIS Workbench question
Hi,
I ran into the following scenario while attempting to use OpenCMIS Workbench with EMC Documentum implementation of CMIS. We have multiple Documentum repositories enabled on a single CMIS service endpoint. However each repository has its own security settings requiring to use unique credentials for each repository. When I attempt to use OpenCMIS Workbench with Web Services binding for this setup, OpenCMIS Workbench throws an error when trying to load the list of repositories after I press "Load Repositories" button on Login screen. Here is the partial stack trace of the error:
org.apache.chemistry.opencmis.commons.exceptions.CmisRuntimeException: Failed to get repository information
[E_QUERY_ACTION_FAILED] "QUERY" action failed. [DFC_BOF_WRONG_IDENTITY] LoginInfo and Principal for "<removed>" docbase are not defined or wrong.
[DFC_BOF_WRONG_IDENTITY] [DFC_BOF_WRONG_IDENTITY] LoginInfo and Principal for "<removed>" docbase are not defined or wrong.
at org.apache.chemistry.opencmis.client.bindings.spi.webservices.AbstractWebServicesService.convertException(AbstractWebServicesService.java:119)
at org.apache.chemistry.opencmis.client.bindings.spi.webservices.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:96)
at org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:90)
at org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.getRepositories(SessionFactoryImpl.java:135)
at org.apache.chemistry.opencmis.workbench.model.ClientSession.connect(ClientSession.java:192)
at org.apache.chemistry.opencmis.workbench.model.ClientSession.<init>(ClientSession.java:117)
at org.apache.chemistry.opencmis.workbench.LoginDialog.createClientSession(LoginDialog.java:265)
at org.apache.chemistry.opencmis.workbench.LoginDialog$1.actionPerformed(LoginDialog.java:119)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
After reviewing OpenCMIS source code, it looks like the "Load Repositories" routine includes invoking RepositoryService.getRepositoryInfos() method. The implementation of this method for the Web Services binding executes getRepositories CMIS service call, and then for each of the returned repository invokes getRepositoryInfo CMIS service call. And it appears that Documentum simply doesn't allow getRepositoryInfo CMIS service call to be executed for unauthenticated clients.
Question: our setup with multiple repositories each having unique security settings and available on a single CMIS service endpoint seems to be valid and conforming to CMIS specification. The way Documentum handles authentication for getRepositoryInfo CMIS service call for Web Services binding also appears to conform CMIS spec. 1.1 (paragraph 4.1.2). Should OpenCMIS Workbench be modified to handle this specific use case gracefully? I think that OpenCMIS Workbench should allow a user to see the list of repositories for which provided credentials work while "filtering out" all repositories for which it cannot execute getRepositoryInfo CMIS service call. Or am I missing something and our Documentum setup is against something defined in CMIS specification?
Any feedback s greatly appreciated. Thank you!
--
Sergey Alshuk
RE: OpenCMIS Workbench question
Posted by Se...@wellsfargo.com.
Hi Florian,
You are right: Documentum behavior for AtomPub binding is different. Documentum filters out the repositories on the server side based on the sent credentials. So it's partially Documentum "fault" ;-)
And thank you for changing RepositoryService implementation for Web Services binding in the trunk. I've made similar change locally yesterday to get through this issue and it worked.
--
Thanks,
Sergey
-----Original Message-----
From: Florian Müller [mailto:fmui@apache.org]
Sent: Friday, August 22, 2014 4:55 AM
To: Alshuk, Sergey; dev
Subject: Re: OpenCMIS Workbench question
Hi Sergey,
The scenario is a valid, but the server behavior is not very common. Most servers only expose the repositories that the current user can actually work with. That is, the repository list is filtered on the server side and not on the client side. OpenCMIS sends the user credentials with the getRepositories() call, which allows server side filtering.
It would be interesting to know what the AtomPub binding returns. Whatever it does, it must be inconsistent with the Web Service binding. It either filters the repositories on the server side or it provides all repository infos, which is obviously not possible with the Web Services binding.
I have changed the Web Service code now. (You have to download the source code and build it locally.) It catches exceptions thrown by getRepositoryInfo() and provides a repository info stub that only contains the repository ID and the repository name. You wouldn't be able to connect to those repositories, but since the server already revealed their existence OpenCMIS shouldn't hide them.
- Florian
> Hi,
>
> I ran into the following scenario while attempting to use OpenCMIS
> Workbench with EMC Documentum implementation of CMIS. We have multiple
> Documentum repositories enabled on a single CMIS service endpoint.
> However each repository has its own security settings requiring to use
> unique credentials for each repository. When I attempt to use OpenCMIS
> Workbench with Web Services binding for this setup, OpenCMIS Workbench
> throws an error when trying to load the list of repositories after I press "Load Repositories"
> button on Login screen. Here is the partial stack trace of the error:
>
> org.apache.chemistry.opencmis.commons.exceptions.CmisRuntimeException:
> Failed to get repository information [E_QUERY_ACTION_FAILED] "QUERY"
> action failed. [DFC_BOF_WRONG_IDENTITY] LoginInfo and Principal for
> "<removed>" docbase are not defined or wrong.
> [DFC_BOF_WRONG_IDENTITY] [DFC_BOF_WRONG_IDENTITY] LoginInfo and
> Principal for "<removed>" docbase are not defined or wrong.
> at
> org.apache.chemistry.opencmis.client.bindings.spi.webservices.AbstractWebServicesService.convertException(AbstractWebServicesService.java:119)
> at
> org.apache.chemistry.opencmis.client.bindings.spi.webservices.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:96)
> at
> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:90)
> at
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.getRepositories(SessionFactoryImpl.java:135)
> at
> org.apache.chemistry.opencmis.workbench.model.ClientSession.connect(ClientSession.java:192)
> at
> org.apache.chemistry.opencmis.workbench.model.ClientSession.<init>(ClientSession.java:117)
> at
> org.apache.chemistry.opencmis.workbench.LoginDialog.createClientSession(LoginDialog.java:265)
> at
> org.apache.chemistry.opencmis.workbench.LoginDialog$1.actionPerformed(LoginDialog.java:119)
> at
> javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:199
> 5)
>
> After reviewing OpenCMIS source code, it looks like the "Load Repositories"
> routine includes invoking RepositoryService.getRepositoryInfos()
> method. The implementation of this method for the Web Services binding
> executes getRepositories CMIS service call, and then for each of the
> returned repository invokes getRepositoryInfo CMIS service call. And
> it appears that Documentum simply doesn't allow getRepositoryInfo CMIS
> service call to be executed for unauthenticated clients.
>
> Question: our setup with multiple repositories each having unique
> security settings and available on a single CMIS service endpoint
> seems to be valid and conforming to CMIS specification. The way
> Documentum handles authentication for getRepositoryInfo CMIS service
> call for Web Services binding also appears to conform CMIS spec. 1.1
> (paragraph 4.1.2). Should OpenCMIS Workbench be modified to handle
> this specific use case gracefully? I think that OpenCMIS Workbench
> should allow a user to see the list of repositories for which provided
> credentials work while "filtering out" all repositories for which it
> cannot execute getRepositoryInfo CMIS service call. Or am I missing something and our Documentum setup is against something defined in CMIS specification?
>
> Any feedback s greatly appreciated. Thank you!
>
> --
> Sergey Alshuk
>
Re: OpenCMIS Workbench question
Posted by Florian Müller <fm...@apache.org>.
Hi Sergey,
The scenario is a valid, but the server behavior is not very common. Most
servers only expose the repositories that the current user can actually work
with. That is, the repository list is filtered on the server side and not on the
client side. OpenCMIS sends the user credentials with the getRepositories()
call, which allows server side filtering.
It would be interesting to know what the AtomPub binding returns. Whatever it
does, it must be inconsistent with the Web Service binding. It either filters
the repositories on the server side or it provides all repository infos, which
is obviously not possible with the Web Services binding.
I have changed the Web Service code now. (You have to download the source code
and build it locally.)
It catches exceptions thrown by getRepositoryInfo() and provides a repository
info stub that only contains the repository ID and the repository name. You
wouldn't be able to connect to those repositories, but since the server already
revealed their existence OpenCMIS shouldn't hide them.
- Florian
> Hi,
>
> I ran into the following scenario while attempting to use OpenCMIS Workbench
> with EMC Documentum implementation of CMIS. We have multiple Documentum
> repositories enabled on a single CMIS service endpoint. However each
> repository has its own security settings requiring to use unique credentials
> for each repository. When I attempt to use OpenCMIS Workbench with Web
> Services binding for this setup, OpenCMIS Workbench throws an error when
> trying to load the list of repositories after I press "Load Repositories"
> button on Login screen. Here is the partial stack trace of the error:
>
> org.apache.chemistry.opencmis.commons.exceptions.CmisRuntimeException: Failed
> to get repository information
> [E_QUERY_ACTION_FAILED] "QUERY" action failed. [DFC_BOF_WRONG_IDENTITY]
> LoginInfo and Principal for "<removed>" docbase are not defined or wrong.
> [DFC_BOF_WRONG_IDENTITY] [DFC_BOF_WRONG_IDENTITY] LoginInfo and Principal for
> "<removed>" docbase are not defined or wrong.
> at
> org.apache.chemistry.opencmis.client.bindings.spi.webservices.AbstractWebServicesService.convertException(AbstractWebServicesService.java:119)
> at
> org.apache.chemistry.opencmis.client.bindings.spi.webservices.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:96)
> at
> org.apache.chemistry.opencmis.client.bindings.impl.RepositoryServiceImpl.getRepositoryInfos(RepositoryServiceImpl.java:90)
> at
> org.apache.chemistry.opencmis.client.runtime.SessionFactoryImpl.getRepositories(SessionFactoryImpl.java:135)
> at
> org.apache.chemistry.opencmis.workbench.model.ClientSession.connect(ClientSession.java:192)
> at
> org.apache.chemistry.opencmis.workbench.model.ClientSession.<init>(ClientSession.java:117)
> at
> org.apache.chemistry.opencmis.workbench.LoginDialog.createClientSession(LoginDialog.java:265)
> at
> org.apache.chemistry.opencmis.workbench.LoginDialog$1.actionPerformed(LoginDialog.java:119)
> at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
>
> After reviewing OpenCMIS source code, it looks like the "Load Repositories"
> routine includes invoking RepositoryService.getRepositoryInfos() method. The
> implementation of this method for the Web Services binding executes
> getRepositories CMIS service call, and then for each of the returned
> repository invokes getRepositoryInfo CMIS service call. And it appears that
> Documentum simply doesn't allow getRepositoryInfo CMIS service call to be
> executed for unauthenticated clients.
>
> Question: our setup with multiple repositories each having unique security
> settings and available on a single CMIS service endpoint seems to be valid and
> conforming to CMIS specification. The way Documentum handles authentication
> for getRepositoryInfo CMIS service call for Web Services binding also appears
> to conform CMIS spec. 1.1 (paragraph 4.1.2). Should OpenCMIS Workbench be
> modified to handle this specific use case gracefully? I think that OpenCMIS
> Workbench should allow a user to see the list of repositories for which
> provided credentials work while "filtering out" all repositories for which it
> cannot execute getRepositoryInfo CMIS service call. Or am I missing something
> and our Documentum setup is against something defined in CMIS specification?
>
> Any feedback s greatly appreciated. Thank you!
>
> --
> Sergey Alshuk
>