how to do programmatic authentication for SSO enabled Jazz Team Server for accessing protected resources via REST or http client?
Questions:
1) We are not seeing the header X-JSA-AUTHORIZATION-REDIRECT in the initial response (see response below). Does this mean the server which we are accessing is not SSO-enabled?
2) Since we are getting 'X-com-ibm-team-repository-web-auth-msg:authrequired' in the header after supplying encrypted token in the header (see code below). Do we need to proceed with Form Based authentication again?
3) If our approach is incorrect, can we have any references explaining how to connect to SSO enabled Jazz server using KERBEROS/SPNego tokens ?
Problem Description:
Jazz Product Version : 6.0.5 iFix004
Trying to access Jazz servers which supports OIDC (SSO Enabled).
We don’t want to supply username/password(FORM based) from the code to access the server. But want to access via KERBEROS/SPNego tokens
We have tried the below mentioned approaches but failed to achieve the required solutions.
Sample Code:
private void testSSOEnabledServer(final String url) throws IOException, InvalidCredentialsException {
HttpClient httpclient = JazzHttpUtils.createCloseableHttpClient();
try {
String encodedAuthorization = Base64.getEncoder()
.encodeToString((getUserId() + ":" + String.valueOf(getUserPassword())).getBytes(StandardCharsets.UTF_8));
HttpGet request = new HttpGet(url + "/reports");
// initial hit
HttpResponse response = httpclient.execute(request);
// if resposne is 401
if ((response.getStatusLine().getStatusCode() == 401)) {
// print headers
for (Header header : response.getAllHeaders()) {
System.out.println(header.getName() + ":" + header.getValue());
}
HttpEntity entity = response.getEntity();
System.out.println("STATUS >> " + response.getStatusLine());
if (entity != null) {
System.out.println("RESULT >> " + EntityUtils.toString(entity));
}
EntityUtils.consume(response.getEntity());
// if it contains header WWW-Authenticate: Negotiate
Header authHeaderName = response.getFirstHeader("WWW-Authenticate");
if ((null != authHeaderName) && authHeaderName.getValue().equals("Negotiate")) {
// add details
request.addHeader("Authorization", "Negotiate " + encodedAuthorization);
}
// hit again with added headers
response = httpclient.execute(request);
}
for (Header header : response.getAllHeaders()) {
System.out.println(header.getName() + ":" + header.getValue());
}
HttpEntity entity = response.getEntity();
System.out.println("STATUS >> " + response.getStatusLine());
if (entity != null) {
System.out.println("RESULT >> " + EntityUtils.toString(entity));
}
EntityUtils.consume(response.getEntity());
}
Output Received:
(During initial execution)
Headers:
Date:Thu, 06 Sep 2018 11:12:39 GMT
X-Powered-By:Servlet/3.0
WWW-Authenticate:Negotiate
Content-Length:149
Keep-Alive:timeout=10, max=98
Connection:Keep-Alive
Content-Type:text/html; charset=UTF-8
Content-Language:en-US
Body:
STATUS >> HTTP/1.1 401 Unauthorized
RESULT >> <html><head><title>SPNEGO authentication is not supported.</title></head><body>SPNEGO authentication is not supported on this client.</body></html>
------------------------------------------------------------------------------------------------------------------------------------------------------------
(After adding encrypted tokens to headers)
Headers:
Date:Thu, 06 Sep 2018 11:12:39 GMT
X-Powered-By:Servlet/3.0
X-com-ibm-team-repository-web-auth-msg:authrequired
Set-Cookie:JazzFormAuth=Form; Path=/jts; Secure
Expires:Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control:no-cache="set-cookie, set-cookie2"
Keep-Alive:timeout=10, max=94
Connection:Keep-Alive
Transfer-Encoding:chunked
Content-Type:text/html; charset=UTF-8
Content-Language:en-US
Body:
STATUS >> HTTP/1.1 200 OK
RESULT >> <!DOCTYPE html>
<!--
Licensed Materials - Property of IBM
(c) Copyright IBM Corporation 2005, 2015. All Rights Reserved.
Note to U.S. Government Users Restricted Rights:
Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
-->
<html >
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=10">
<title></title>
....
.....
<script type="text/javascript">
/* <![CDATA[ */
dojo.addOnLoad( function() {
net.jazz.ajax.ui.PlatformUI.createAndRunWorkbench("net.jazz.web.app.authrequired");
});
/* ]]> */
</script>
</body>
</html
<-END->
One answer
Praveen,
documentation for this can be found at https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication#Kerberos_and_SPNeGO
If this is helpful please mark the answer as accepted.
- Arne