When connecting to a CMIS system, you may need to use JWT tokens for authentication purposes. You may also need to react on tokens that are send by the CMIS system. This article describes the steps that you need to do as technical engineer to make this possible.
Step-by-step guide
- cmis.objectTypeId, this value will be used for CMIS operations when the objectType parameter is not specified in a Blueriq Studio CMIS service
- cmis.authProvider.class
* when set will be used instead of basic authentication (cmis.user, cmis.password)
* a Json Web Token authentication provider is included with the Java version of Blueriq. Read <link to Implementation guide> if you want to create your own authentication provider
Json Web Token authentication provider
The JWT standard specifies a web friendly token format, somewhat comparable to SAML Assertions. The token usually contains claims about someones identity and roles, the system that issued the token, the system that the token is intended for and when the token expires. JWTs are often cryptographically signed and can be compressed and/or encrypted as well.
The Blueriq JWT authentication provider currently only supports 'SHA256withRSA' to cryptographically sign the JWTs. The RSA private key and X.509 certificate are loaded from a Java keystore. Generated JWTs expire one hour after they are generated. It is entirely up to the receiving system to validate the JWTs. Use the 'x5t#S256' or 'x5t' certificate thumbprint header to select the correct RSA public key for signature validation.
Key store example
<JAVA_HOME>\bin\keytool -list -keystore test_keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries blueriq_test_only_cert, 12-nov-2015, trustedCertEntry, Certificate fingerprint (SHA1): EA:1A:31:BB:6C:A5:70:B0:A8:CB:BA:18:CA:AD:D4:6A:D1:0A:50:99 blueriq_test, 11-nov-2015, PrivateKeyEntry, Certificate fingerprint (SHA1): 55:BD:8F:4A:97:B4:76:FB:02:D6:6B:50:AC:D7:94:13:86:FC:91:4B
JWT example
Header:
{
"x5t": "Vb2PSpe0dvsC1mtQrNeUE4b8kUs",
"alg": "RS256"
}
Payload:
{
"iss": "Blueriq",
"aud": "IBM Filenet",
"sub": "CMIS",
"idp": "active directory",
"nbf": 1450537298,
"exp": 1450540898,
"iat": 1450537298,
"identity": "ms.van.tilburg@company.com"
}
JWT properties
To use the JWT authentication provider set 'cmis.authProvider.class' to 'com.aquima.plugin.cmis.impl.jwt.JwtAuthenticationProvider'. The claims to put in the JWT should be configured in 'cmis.properties'. All property names that start with 'cmis.authProvider.jwt.claims.' are interpreted as claims with fixed values. For example 'cmis.authProvider.jwt.claims.idp=digid' will add a claim named 'idp' with the value 'digid'.
<properties staan beschreven in cmis.properties>
CMIS custom authentication provider implementation guide for Java
The Blueriq CMIS pluging leverages the Apache Chemistry mechanism for custom authentication providers. All authentication providers implement the interface 'org.apache.chemistry.opencmis.commons.spi.AuthenticationProvider', you are advised to extend 'org.apache.chemistry.opencmis.client.bindings.spi.AbstractAuthenticationProvider'. Override the method 'public void setSession(BindingSession session)' to initialize your authentication provider. All properties that start with 'cmis.authProvider.' are available on the session. Override the method 'public Map<String, List<String>> getHTTPHeaders(String url)' to set custom HTTP headers that will be used for every CMIS request. Because Blueriq only supports the 'atompub' protocol there is no point in overriding the method 'public Element getSOAPHeaders(Object portObject)'.
Unable to render {include} The included page could not be found.
Overview
Content Tools