It's all about the answers!

Ask a question

How can I do the oAuth authentication from another webcontrol


Kangkan Goswami (1571521) | asked Jun 11 '12, 3:05 a.m.
retagged Jun 25 '12, 5:19 a.m. by Arne Bister (2.6k12432)
I am looking at connecting to Jazz RRC from another web application. My other application is in .NET and c#. I thought of using a web control to implement the UI for displaying requirements etc from Jazz RRC. But first, I need to do the oAuth authentication to connect to RRC.

How to implement the oAuth authentication from a web control? Or is there some other nicer way to do it?

What I tried:

I used the REST Client on Google Chrome and tried to POST the form with username/password to the https://server:port/jts/j_security_check

The headers are:
Accept: application/rdf+xml
Oslc-core-version: 2.0
Content-Type: application/x-www-form-urlencoded

And the content is:
j_username=myUserName&j_password=mypwd

I also tried to set the conten after encoding like: j_username%3DmyUserName%26j_password%3Dmypwd

But I am always getting HTTP/1.1 408 Request Timeout

Accepted answer


permanent link
Sean G Wilbur (8722321) | answered Jun 12 '12, 9:43 a.m.
JAZZ DEVELOPER
 The OSLC workshop is a great chance to see how this can be used, but as you have seen this is written in Java and the OSLC wiki examples are using curl, but you will notice that they all share the same algorithm.

 1. Request a secured resource to setup session and cookies. ( for instance https://server:port/ccm/authenticated/identity )
 2. For FORM auth, use the response from one to get the cookies, and post to j_security_check (aka https://server:port/ccm/authenticated/j_security_check )
3. Verify you have authenticated, by ensuring the headers are not still requiring login. ( check reponse for x-com-ibm-team-repository-web-auth-msg )

Python version:
    def __login__(self):
        # Grab secured resource to initiate login
        response, content = self.http.request( self.base_url + "/authenticated/identity", 'GET', headers=self.headers)
        
        if response.__contains__('x-com-ibm-team-repository-web-auth-msg'):
        
            if response['x-com-ibm-team-repository-web-auth-msg'] != 'authrequired':
                raise Exception("Server error authenticating: " + response.__str__())
            
            # TODO: Post login information, Jazz uses j_security_check for FORM auth.
            response, content = self.http.request(self.base_url+'/authenticated/j_security_check' , 'POST',
                                headers=self.headers, body=urllib.urlencode({'j_username': self.user, 'j_password': self.password}))
            
            # Confirm that we are connected, and can grab the secure resource now
            response, content = self.http.request( self.base_url + "/authenticated/identity", 'GET', headers=self.headers)
            
            if response.__contains__('x-com-ibm-team-repository-web-auth-msg'):
                raise Exception("Login was not successful, server response: " + response.__str__() )


  -Sean

Kangkan Goswami selected this answer as the correct answer

Comments
Kangkan Goswami commented Jun 13 '12, 2:59 a.m.

@SeanWilbur: Great buddy. This works for me. But, once authenticated, further request to any other secured resource is failing - either a 401 Unauthorised, or request timed out. I wanted to capture the token and token secret when I authenticate. How can I do that?


Donald Mason commented Feb 04 '13, 2:04 p.m.

I am having this same issue, I do a get and get challenged, I send the POST and it shows that I have credentials, but on my next get, I again have no authorization.  In another post someone mentioned it may be because the RTC server that I am using is  running Tomcat instead of WebSphere.

Has this been answered or solved?
Don
 

5 other answers



permanent link
Arne Bister (2.6k12432) | answered Jun 11 '12, 4:42 a.m.
JAZZ DEVELOPER
In the OSCL Workshop for Jazz there are freely downloadable lab exercises. Does Lab 6.3 - Jazz form based authentication - answer your question?

- Arne


Comments
Kangkan Goswami commented Jun 11 '12, 4:51 a.m.

My client is in .NET. I am not sure, if that will work. I shall try out.


Kangkan Goswami commented Jun 12 '12, 1:18 a.m.

@ArneBister: I tried the form based authentication. But seems, I am missing something. I have updated my post with what I have tried. Can you please look at that and help me?


permanent link
Arne Bister (2.6k12432) | answered Jun 12 '12, 3:20 a.m.
JAZZ DEVELOPER
edited Jun 12 '12, 4:11 a.m.
Hi,

apparently somebody else had the same problem, eventually solved it and posted it to this website including code snippet for .NET oAuth login vs. RRC.

- Arne

P.S.: keep in mind these changes for oAuth starting with RTC 3.0.1
P.P.S.: in case you use non-secure http or JTS and RRC are on different servers, be sure to also scan this technote.

Comments
Kangkan Goswami commented Jun 12 '12, 3:43 a.m.

@ArneBister: Thanks for digging into. The post that you are referring to with .NET code snippet is written by me. That I did from a windows app and it uses a browser window to login. The same technique can not be used when calling from a web application. So, I wanted to try something different and the form base authentication is good, I felt. However, I am not being able to get positive result so far.


permanent link
Arne Bister (2.6k12432) | answered Jun 12 '12, 4:14 a.m.
JAZZ DEVELOPER
@KangkanGoswami: Ok, this makes it doubly ironic so I edited my comment. I will try and get you in touch with the right info. Unfortunately, I do not have the cycles to dig in deep myself right now - I thought I would get by with copy&paste so it serves me right that I ended up feeding an author with his own link.

The solution is out there. We will find it.

- Arne

Comments
Kangkan Goswami commented Jun 12 '12, 4:16 a.m.

@ArneBister: I am sure, there is some roadblock and I am not able to see the road properly. With light from all of you, we shall reach where we intend to go.


Krishna Kishore commented Jun 19 '12, 2:27 a.m.
JAZZ DEVELOPER

@KangkanGoswami The article http://phkrief.wordpress.com/2010/09/15/jazz-form-based-authentication/ describes the process for Jazz Form-based Authentication. The steps are the same for .NET. One you get the OAuth Url, open it in a WebBrowser control, and onces the user logs in trap the Document Closing event and get the Cookie. This Cookie can be used to access the actual resource url. We are in a process of creating a sample application .NET, will update you once its ready.


permanent link
Donald Mason (5144) | answered Feb 04 '13, 1:59 p.m.
I am trying to get this to work, but I am having the same problem described by @KangkanGoswami in the last solution comment above:

@SeanWilbur: Great buddy. This works for me. But, once authenticated, further request to any other secured resource is failing - either a 401 Unauthorised, or request timed out. I wanted to capture the token and token secret when I authenticate. How can I do that?

Has this been worked out and if so, how?

Thanks, Don

Comments
Izumi Satoh commented Mar 09 '13, 2:31 p.m. | edited Mar 09 '13, 2:33 p.m.

 I'm facing the same problem using RDM4.0.1 on tomcat.

Have you solved this problem? I really want to know how to do it.

I tried the same procedure using RESTClient in firefox, and it successfully accessed to a secured resource after authentication.
I checked the differences of response headers between them, then I found that after the following execution the status code in my program showed 200, but returned cookie was only one, on the other hand, the number of cookies in RESTClient was 4.

>2. For FORM auth, use the response from one to get the cookies, and post to >j_security_check (akahttps://server:port/ccm/authenticated/j_security_check )

Any help would be very appreciated.


permanent link
Izumi Satoh (2621) | answered Mar 09 '13, 8:36 p.m.
 Finally, I could solve this problem. 
In my case,  it was caused by HttpClient 4.2.3 library's bug.
When "Cookie:" request header was created, it inserted excess "\"characters and the cookie header became incorrect.
I could solve this by adding a new request interceptor to HttpClient so that I could replace the wrong cookie header.

Your answer


Register or to post your answer.