I did manage to get around the authentication problem by setting a java.net.Authenticator (with the CMIS username and password) for the session containing the applet, but then I got an error from the applet saying the content from the URL wasn't recognized.
So I think we don't have an issue with P8 - it's purely an issue with the viewer now. There is probably a way around it - just need to find it..:-) Thanks for all the help. Tim On Thu, Aug 28, 2014 at 8:21 PM, Lucas, Mike <mike.lu...@gwl.ca> wrote: > Just to add one salient point, HTTP cookies are part of the HTTP spec > (RFC6265<http://tools.ietf.org/html/rfc6265> is the most current). So > after receiving a Set-Cookie header with the LTPA token in it, the viewer > should echo back that cookie in the Cookie header. > > michael lucas | Senior Software Developer | Great-West Life | > mike.lu...@gwl.ca<mailto:mike.lu...@gwl.ca> > > > From: Jay Brown [mailto:jay.br...@us.ibm.com] > Sent: August 28, 2014 1:22 PM > Cc: dev@chemistry.apache.org > Subject: Re: IBM FileNet P8 CMIS URL addressability + Daeja ViewOne Viewer > > > We support SSO today. The SSO method that we support is the LTPA token in > the http header which is handled automatically by the Websphere container > where our CMIS service is running. > This is a standard way of handling this and it seems like the viewer > should support this as well. > > Do we know for certain that the viewer can not support this? > > Bottom line as we ship today. For SSO to work the client needs to include > that standard HTTP header (cookie) with the LTPA token. (or do basic HTTP > auth, which again uses HTTP headers) > > Putting it in the url would be non-standard (at least not part of the CMIS > spec) so I am reaching for a way to avoid this. > > > Jay Brown > Senior Engineer, ECM Development > IBM Software Group > jay.br...@us.ibm.com<mailto:jay.br...@us.ibm.com> > www.linkedin.com/in/parityerror/<http://www.linkedin.com/in/parityerror/> > > [Inactive hide details for Tim Webster ---08/28/2014 09:36:49 AM---Hi, Do > you mean 'Would you want the client to request the *UR]Tim Webster > ---08/28/2014 09:36:49 AM---Hi, Do you mean 'Would you want the client to > request the *URL* with an extra > > From: > > > Tim Webster <tim.webs...@gmail.com<mailto:tim.webs...@gmail.com>> > > > To: > > > "dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>" < > dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>> > > > Date: > > > 08/28/2014 09:36 AM > > > Subject: > > > Re: IBM FileNet P8 CMIS URL addressability + Daeja ViewOne Viewer > > ________________________________ > > > > Hi, > > Do you mean 'Would you want the client to request the *URL* with an extra > extension parameter..."? > > I'll be retrieving the URL with this (straight from your book): > > if (session.getBinding().getObjectService() instanceof LinkAccess) { > return ((LinkAccess) > > session.getBinding().getObjectService()).loadContentLink(session.getRepositoryInfo() > .getId(), document.getId()); > } > > If that URL had the token, great - if not and we had to do something extra > (like add it ourselves somehow), still OK. The main thing is that the > repository can actually use a URL with the token in it. > > Another thing occurred to me - would some kind of Single-sign on make all > this 'just work' (including the viewer)? Apologies that I keep mentioning > the viewer, but it's the main problem here! > > Thanks, > > Tim > > > > On Thu, Aug 28, 2014 at 5:10 PM, Jay Brown <jay.br...@us.ibm.com<mailto: > jay.br...@us.ibm.com>> wrote: > > > No we don't currently support this but I am just trying to think this > > through from a security perspective if we wanted to add a feature. > > We can't include the user's security token in all of the returned stream > > url's by default. I would have to be requested. > > > > Would you want the client to request the document with an extra extension > > parameter indicating that the stream url should be returned with the > > current users LTPA token embedded? (includeAuthToken=true) > > > > > > Jay Brown > > Senior Engineer, ECM Development > > IBM Software Group > > jay.br...@us.ibm.com<mailto:jay.br...@us.ibm.com> > > www.linkedin.com/in/parityerror/<http://www.linkedin.com/in/parityerror/ > > > > > > [image: Inactive hide details for Tim Webster ---08/28/2014 02:37:16 > > AM---Jay, I've re-read your email, and I think I misunderstood wha]Tim > > Webster ---08/28/2014 02:37:16 AM---Jay, I've re-read your email, and I > > think I misunderstood what you were saying... > > > > > > > > From: > > > > > > Tim Webster <tim.webs...@gmail.com<mailto:tim.webs...@gmail.com>> > > > > To: > > > > > > "dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>" < > dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>> > > > > Date: > > > > > > 08/28/2014 02:37 AM > > > > Subject: > > > > > > Re: IBM FileNet P8 CMIS URL addressability + Daeja ViewOne Viewer > > ------------------------------ > > > > > > > > Jay, > > > > I've re-read your email, and I think I misunderstood what you were > > saying... > > > > *"We currently only support LTPA tokens with the FileNet CMIS server. > So > > > > if your client adds a 'Cookie' header with a value of a valid LTPA token > > (for the domain where the CMIS and CE server reside) your request will > > succeed without a challenge for credentials. "* > > > > > > This is fine if we were actually constructing the HTTP request ourselves, > > but we're not - the Daeja ViewOne applet is doing it. > > > > *"...would you need us to support the passing of the token as a parameter > > in the Content stream URL?"* > > > > > > This would in fact help - if the content stream URL contained the token, > I > > could just pass that URL to the applet and it can do the rest. As it is, > > does P8 support any URL of this type to retrieve content? > > > > Thanks, > > > > Tim > > > > > > > > > > On Wed, Aug 27, 2014 at 6:26 PM, Jay Brown <jay.br...@us.ibm.com<mailto: > jay.br...@us.ibm.com>> wrote: > > > > > We currently only support LTPA tokens with the FileNet CMIS server. > So > > > if your client adds a 'Cookie' header with a value of a valid LTPA > token > > > (for the domain where the CMIS and CE server reside) your request will > > > succeed without a challenge for credentials. > > > > > > Does this help you or would you need us to support the passing of the > > > token as a parameter in the Content stream URL? > > > > > > > > > Jay Brown > > > ECM Development, IBM > > > > > > > > > [image: Inactive hide details for Tim Webster ---08/27/2014 03:36:11 > > > AM---Hi, I'm looking to stream documents to the Daeja ViewOne View]Tim > > > Webster ---08/27/2014 03:36:11 AM---Hi, I'm looking to stream documents > > to > > > the Daeja ViewOne Viewer applet using a > > > > > > > > > > > > From: > > > > > > > > > Tim Webster <tim.webs...@gmail.com<mailto:tim.webs...@gmail.com>> > > > > > > To: > > > > > > > > > "dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>" < > dev@chemistry.apache.org<mailto:dev@chemistry.apache.org>> > > > > > > Date: > > > > > > > > > 08/27/2014 03:36 AM > > > > > > Subject: > > > > > > > > > > > IBM FileNet P8 CMIS URL addressability + Daeja ViewOne Viewer > > > ------------------------------ > > > > > > > > > > > > > > Hi, > > > > > > I'm looking to stream documents to the Daeja ViewOne Viewer applet > using > > a > > > single URL. I understand that a document can be retrieved from the > > > repository using a URL like so: > > > > > > > > http://host:port > > > > > > > > > > > /fncmis/resources/DEV/ContentStream/idd_9B7C7D0A-A236-489C-A512-AB32B2E676D7/0/document1.xlsx > > > > > > However the server prompts the user for basic HTTP authentication > > > credentials. It looks like Alfresco has a way to deal with this: > > > > > > https://wiki.alfresco.com/wiki/URL_Addressability > > > > > > Is there anything similar we can do for FileNet? > > > > > > Sorry a bit off-topic, but if there are any IBM people out there, do > you > > > know if credentials can be supplied to the Daeja ViewOne applet? Maybe > > this > > > would be a way to deal with it instead... > > > > > > Thanks, > > > > > > > > > > > > > > > > >
