Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Java API Access to CLM with JAS and Remote Authentication

Questions
Tags
Users
Badges
Nick Chandler
(6816) Jan 17 '18, 11:49 a.m.

We use the Java API to create and link projects in several CLM applications (RQM, CCM, and RM). Today, our environment uses basic authentication in CLM, with a user registry file on the filesystem of the server that runs these applications. However, we wish to migrate this to JAS, tied into a remote OpenID provider.


In our test environment (with CLM version 6.0.5), we have JAS integrated with the remote service, and authentication is working as required in the UI. However, I am having trouble determining whether we will still be able to leverage the Java APIs in this new setup.

When my code calls ITeamRepository.login(), I get the following error: 
Error: Replaying the original POST/PUT/DELETE request on a redirection sequence more than 10 times
I am curious if anyone has any experience with such a configuration and might be able to help me understand:

1) Is it possible to use the Java API with this type of authentication?
2) Would anyone be able to point me in the direction of documentation of any kind that would help me understand how to make this work?

Any help would be much appreciated!

2

2 votes

3 answers
5,818 views
2 votes

Accepted answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (64.6k33649) edited
Jan 25 '18, 3:09 a.m.

I post this for Nick, who seems to be unable to get this through. I replaced the XML stype brackets by [] to avoid messing up the post:

With help from IBM, I was able to resolve the issue and wanted to document it here in case it helps someone else in the future.


To resolve the issue, I updated the JAS appConfig.xml file to direct only browsers to my upstream OpenID Connect Provider, using the User-Agent header on incoming requests. Because the Java SDK doesn't send a User-Agent header that matches popular browsers, we can bypass the upstream provider and use JAS's local authentication mechanism.

For reference, here is a snippet of my appConfig.xml configuration: 

[openidConnectClient authFilterRef="oidcAuthFilter [-- Some output omitted --] /]


[authFilter id="oidcAuthFilter"]


[!-- Some output omitted --]

[userAgent id="javaAgent" agent="Opera|Mozilla" matchType="contains" /]



[/authFilter]


Ralph Schoon selected this answer as the correct answer

3 votes

Comments
Nick Chandler
Jan 25 '18, 2:44 p.m.

 Thanks for posting this for me, Ralph!

1 vote

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jan 25 '18, 2:51 p.m.

Tried to award you some reputation, but could not, unfortunately.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jan 25 '18, 2:53 p.m.

Well, maybe it worked!

2 other answers

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (64.6k33649) Jan 22 '18, 5:49 a.m.

Nick, the RTC Eclipse client uses the same code to log into the server and that works. So you don't have to do anything special as far as I can tell. The only thing you might need is to provide a newer commons library. See

https://rsjazz.wordpress.com/2016/09/21/cant-connect-to-rtc-running-with-jazz-authentication-server/ for some experience we had.

The error above might be related to some setup issue in JAS e.g. the redirect and other URI pattern entered in the configuration.

0 votes

Comments
Nick Chandler
Jan 22 '18, 12:04 p.m.

Hi, Ralph.


Thank you for the response! I had actually seen your blog post prior to posting my comment initially. I am on CLM 6.0.5, which comes with version 1.10.0 of the Apache commons codec. Per your article, this morning, I decided to try and update the codec anyway because 1.11.0 is available now. Unfortunately, I still get the same error referenced above.

I'll keep digging around and will provide an update if I'm able to figure out how to resolve my issue.

Thanks,
Nick

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jan 22 '18, 12:31 p.m.

Can you login with an Eclipse client? I don't recognize your error message.

Nick Chandler
Jan 24 '18, 3:25 p.m.

Hi, Ralph. For some reason, I didn't see your latest comment until just now. No, I could not login using the Eclipse client - it gave me the same error that I referenced above.


That said, I did resolve my issue. I tried posting the answer on this thread just a minute ago, but the forum thinks its spam for some reason. I'll try again later. The gist is that I had to update my authFilter in JAS's appConfig.xml so that it would not redirect the thick client to the upstream provider and, instead, use JAS's local registry.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jan 25 '18, 3:06 a.m.

It might be the XML in your post. I got your answer, but the forum seems to suppress it. So  I posted your answer myself. thank you so much to for your feedback.

Ulf Arne Bister
Jan 25 '18, 5:54 a.m.

Awesome, thanks for sharing. This is a gold nugget of information.

Permanent link
Sriram B
(5147) Jun 22 '18, 11:04 p.m.

 I'm trying to create a setup to reproduce this issue. Does this happen when the LDAP server runs on a different machine from JAS?

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 11,074
× 7,592

Question asked: Jan 17 '18, 11:49 a.m.

Question was seen: 5,818 times

Last updated: Jun 22 '18, 11:04 p.m.

Confirmation Cancel Confirm