It's all about the answers!

Ask a question

how to do programmatic authentication for SSO enabled Jazz Team Server for accessing protected resources via REST or http client?


Praveen Kalawad (133) | asked Sep 06 '18, 8:10 a.m.
edited Sep 06 '18, 8:17 a.m.

Questions:
1) We are not seeing the header X-JSA-AUTHORIZATION-REDIRECT in the initial response (see response below).  Does this mean the server which we are accessing is not SSO-enabled? 
2) Since we are getting 'X-com-ibm-team-repository-web-auth-msg:authrequired' in the header after supplying encrypted token in the header (see code below).   Do we need to proceed with Form Based authentication again?
3) If our approach is incorrect, can we have any references explaining how to connect to SSO enabled Jazz server using KERBEROS/SPNego tokens ?
                
Problem Description:
Jazz Product Version : 6.0.5 iFix004

Trying to access Jazz servers which supports OIDC (SSO Enabled). 
We don’t want to supply username/password(FORM based) from the code to access the server. But want to access via KERBEROS/SPNego tokens

We have tried the below mentioned approaches but failed to achieve the required solutions.


Sample Code:

private void testSSOEnabledServer(final String url) throws IOException, InvalidCredentialsException {
  HttpClient httpclient = JazzHttpUtils.createCloseableHttpClient();

    try {
      String encodedAuthorization = Base64.getEncoder()
          .encodeToString((getUserId() + ":" + String.valueOf(getUserPassword())).getBytes(StandardCharsets.UTF_8));
      HttpGet request = new HttpGet(url + "/reports");

      // initial hit
      HttpResponse response = httpclient.execute(request);

      // if resposne is 401
      if ((response.getStatusLine().getStatusCode() == 401)) {

        // print headers
        for (Header header : response.getAllHeaders()) {
          System.out.println(header.getName() + ":" + header.getValue());
        }
        HttpEntity entity = response.getEntity();
        System.out.println("STATUS >> " + response.getStatusLine());
        if (entity != null) {
          System.out.println("RESULT >> " + EntityUtils.toString(entity));
        }
        EntityUtils.consume(response.getEntity());

        // if it contains header WWW-Authenticate: Negotiate
        Header authHeaderName = response.getFirstHeader("WWW-Authenticate");
        if ((null != authHeaderName) && authHeaderName.getValue().equals("Negotiate")) {
          // add details
          request.addHeader("Authorization", "Negotiate " + encodedAuthorization);
        }
        // hit again with added headers
        response = httpclient.execute(request);
      }

      for (Header header : response.getAllHeaders()) {
        System.out.println(header.getName() + ":" + header.getValue());
      }
      HttpEntity entity = response.getEntity();

      System.out.println("STATUS >> " + response.getStatusLine());

      if (entity != null) {
        System.out.println("RESULT >> " + EntityUtils.toString(entity));
      }
EntityUtils.consume(response.getEntity());



Output Received:


(During initial execution)
Headers:
Date:Thu, 06 Sep 2018 11:12:39 GMT
X-Powered-By:Servlet/3.0
WWW-Authenticate:Negotiate
Content-Length:149
Keep-Alive:timeout=10, max=98
Connection:Keep-Alive
Content-Type:text/html; charset=UTF-8
Content-Language:en-US

Body:
STATUS >> HTTP/1.1 401 Unauthorized
RESULT >> <html><head><title>SPNEGO authentication is not supported.</title></head><body>SPNEGO authentication is not supported on this client.</body></html>
------------------------------------------------------------------------------------------------------------------------------------------------------------

(After adding encrypted tokens to headers)

Headers:
Date:Thu, 06 Sep 2018 11:12:39 GMT
X-Powered-By:Servlet/3.0
X-com-ibm-team-repository-web-auth-msg:authrequired
Set-Cookie:JazzFormAuth=Form; Path=/jts; Secure
Expires:Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control:no-cache="set-cookie, set-cookie2"
Keep-Alive:timeout=10, max=94
Connection:Keep-Alive
Transfer-Encoding:chunked
Content-Type:text/html; charset=UTF-8
Content-Language:en-US


Body:
STATUS >> HTTP/1.1 200 OK
RESULT >> <!DOCTYPE html>
<!--
  Licensed Materials - Property of IBM
  (c) Copyright IBM Corporation 2005, 2015. All Rights Reserved.
  
  Note to U.S. Government Users Restricted Rights:
  Use, duplication or disclosure restricted by GSA ADP Schedule
  Contract with IBM Corp.
-->

<html >
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=10">
<title></title>

....
.....

<script type="text/javascript">
                /* <![CDATA[ */
                                dojo.addOnLoad( function() {
                                                net.jazz.ajax.ui.PlatformUI.createAndRunWorkbench("net.jazz.web.app.authrequired");
                                });
                /* ]]> */
                </script>
</body>
</html


<-END->

One answer



permanent link
Ulf Arne Bister (1.3k413) | answered Sep 07 '18, 4:21 p.m.

 Praveen,


If this is helpful please mark the answer as accepted.

 - Arne

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.