It's all about the answers!

Ask a question

Java API Access to CLM with JAS and Remote Authentication


2
2
Nick Chandler (6816) | asked Jan 17 '18, 11:49 a.m.

We use the Java API to create and link projects in several CLM applications (RQM, CCM, and RM). Today, our environment uses basic authentication in CLM, with a user registry file on the filesystem of the server that runs these applications. However, we wish to migrate this to JAS, tied into a remote OpenID provider.


In our test environment (with CLM version 6.0.5), we have JAS integrated with the remote service, and authentication is working as required in the UI. However, I am having trouble determining whether we will still be able to leverage the Java APIs in this new setup.

When my code calls ITeamRepository.login(), I get the following error:
Error: Replaying the original POST/PUT/DELETE request on a redirection sequence more than 10 times
I am curious if anyone has any experience with such a configuration and might be able to help me understand:

1) Is it possible to use the Java API with this type of authentication?
2) Would anyone be able to point me in the direction of documentation of any kind that would help me understand how to make this work?

Any help would be much appreciated!

Accepted answer


permanent link
Ralph Schoon (63.1k33645) | answered Jan 25 '18, 3:03 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Jan 25 '18, 3:09 a.m.

I post this for Nick, who seems to be unable to get this through. I replaced the XML stype brackets by [] to avoid messing up the post:

With help from IBM, I was able to resolve the issue and wanted to document it here in case it helps someone else in the future.


To resolve the issue, I updated the JAS appConfig.xml file to direct only browsers to my upstream OpenID Connect Provider, using the User-Agent header on incoming requests. Because the Java SDK doesn't send a User-Agent header that matches popular browsers, we can bypass the upstream provider and use JAS's local authentication mechanism.

For reference, here is a snippet of my appConfig.xml configuration:

[openidConnectClient authFilterRef="oidcAuthFilter [-- Some output omitted --] /]

[authFilter id="oidcAuthFilter"]

[!-- Some output omitted --]

[userAgent id="javaAgent" agent="Opera|Mozilla" matchType="contains" /]

[/authFilter]


Ralph Schoon selected this answer as the correct answer

Comments
1
Nick Chandler commented Jan 25 '18, 2:44 p.m.

 Thanks for posting this for me, Ralph!


Ralph Schoon commented Jan 25 '18, 2:51 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Tried to award you some reputation, but could not, unfortunately.


Ralph Schoon commented Jan 25 '18, 2:53 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Well, maybe it worked!

2 other answers



permanent link
Ralph Schoon (63.1k33645) | answered Jan 22 '18, 5:49 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Nick, the RTC Eclipse client uses the same code to log into the server and that works. So you don't have to do anything special as far as I can tell. The only thing you might need is to provide a newer commons library. See

https://rsjazz.wordpress.com/2016/09/21/cant-connect-to-rtc-running-with-jazz-authentication-server/ for some experience we had.

The error above might be related to some setup issue in JAS e.g. the redirect and other URI pattern entered in the configuration.


Comments
Nick Chandler commented Jan 22 '18, 12:04 p.m.

Hi, Ralph.


Thank you for the response! I had actually seen your blog post prior to posting my comment initially. I am on CLM 6.0.5, which comes with version 1.10.0 of the Apache commons codec. Per your article, this morning, I decided to try and update the codec anyway because 1.11.0 is available now. Unfortunately, I still get the same error referenced above.

I'll keep digging around and will provide an update if I'm able to figure out how to resolve my issue.

Thanks,
Nick


Ralph Schoon commented Jan 22 '18, 12:29 p.m. | edited Jan 22 '18, 12:31 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Can you login with an Eclipse client? I don't recognize your error message.


Nick Chandler commented Jan 24 '18, 3:25 p.m.

Hi, Ralph. For some reason, I didn't see your latest comment until just now. No, I could not login using the Eclipse client - it gave me the same error that I referenced above.


That said, I did resolve my issue. I tried posting the answer on this thread just a minute ago, but the forum thinks its spam for some reason. I'll try again later. The gist is that I had to update my authFilter in JAS's appConfig.xml so that it would not redirect the thick client to the upstream provider and, instead, use JAS's local registry.


Ralph Schoon commented Jan 25 '18, 3:06 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

It might be the XML in your post. I got your answer, but the forum seems to suppress it. So  I posted your answer myself. thank you so much to for your feedback.


Ulf Arne Bister commented Jan 25 '18, 5:54 a.m.

Awesome, thanks for sharing. This is a gold nugget of information.


permanent link
Sriram B (5147) | answered Jun 22 '18, 11:04 p.m.

 I'm trying to create a setup to reproduce this issue. Does this happen when the LDAP server runs on a different machine from JAS?

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.