Page History

When connecting to a Document Management System via the CMIS systemstandard, you may need to use JWT Json Web Tokens tokens for authentication purposes. You may also need to react on tokens that are send by the CMIS system. This article describes the steps that you need to do as technical engineer to make this possible.

Step-by-step guide

...

needed to configure the CMIS plugin to use JWT authentication. The Blueriq CMIS plugin has the possibility to configure a custom authentication provider through the property 'cmis.authProvider.class' in 'cmis.properties', a custom authentication provider for JWT is included in the CMIS plugin. Please note that when the property 'cmis.authProvider.class

...

' is set, basic authentication (cmis.user, cmis.password)

...

is no longer applied.

Json Web Token custom authentication provider

The JWT standard specifies a web friendly token format, somewhat comparable to SAML Assertions. The token usually contains claims about someones identity and roles, the system that issued the token, the system that the token is intended for and when the token expires. JWTs are often cryptographically signed and can be compressed and/or encrypted as well.

The Blueriq JWT authentication provider currently only supports 'SHA256withRSA' to cryptographically sign the JWTs. The RSA private key and X.509 certificate are loaded from a Java keystore. Generated JWTs expire one hour after they are generated. It is entirely up to the receiving system to validate the JWTs. Use the 'x5t#S256' or 'x5t' certificate thumbprint header to select the correct RSA public key for signature validation.

Key store example

<JAVA_HOME>\bin\keytool -list -keystore test_keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

blueriq_test_only_cert, 12-nov-2015, trustedCertEntry,
Certificate fingerprint (SHA1): EA:1A:31:BB:6C:A5:70:B0:A8:CB:BA:18:CA:AD:D4:6A:D1:0A:50:99
blueriq_test, 11-nov-2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 55:BD:8F:4A:97:B4:76:FB:02:D6:6B:50:AC:D7:94:13:86:FC:91:4B

JWT example

Header:
{
  "x5t": "Vb2PSpe0dvsC1mtQrNeUE4b8kUs",
  "alg": "RS256"
}

Payload:
{
  "iss": "Blueriq",
  "aud": "IBM Filenet",
  "sub": "CMIS",
  "idp": "active directory",
  "nbf": 1450537298,
  "exp": 1450540898,
  "iat": 1450537298,
  "identity": "ms.van.tilburg@company.com"
}

JWT properties

To use the JWT authentication provider set 'cmis.authProvider.class' to 'com.aquima.plugin.cmis.impl.jwt.JwtAuthenticationProvider'. The claims to put in the JWT should be configured in 'cmis.properties'. All property names that start with 'cmis.authProvider.jwt.claims.' are interpreted as claims with fixed values. For example 'cmis.authProvider.jwt.claims.idp=digid' will add a claim named 'idp' with the value 'digid'.

<properties staan beschreven in cmis.properties>

CMIS custom authentication provider implementation guide for Java

The Blueriq CMIS pluging leverages the Apache Chemistry mechanism for custom authentication providers. All authentication providers implement the interface 'org.apache.chemistry.opencmis.commons.spi.AuthenticationProvider', you are advised to extend 'org.apache.chemistry.opencmis.client.bindings.spi.AbstractAuthenticationProvider'. Override the method 'public void setSession(BindingSession session)' to initialize your authentication provider. All properties that start with 'cmis.authProvider.' are available on the session. Override the method 'public Map<String, List<String>> getHTTPHeaders(String url)' to set custom HTTP headers that will be used for every CMIS request. Because Blueriq only supports the 'atompub' protocol there is no point in overriding the method 'public Element getSOAPHeaders(Object portObject)'All properties for JWT have a descriptive comment in the 'cmis.properties' file that is shipped with Blueriq.

...