[Freeipa-devel] json/rpc from apache/java HttpClient

Timothy Worman lists at thetimmy.com
Mon Jun 8 23:45:33 UTC 2015 

I have developed a java client that is able to successfully commit transactions to FreeIPA using the json/rpc API. If it is useful, I could abstract all this and package it up to share. But I am seeing some interesting things - some of it may be my lack of experience using HttpClient but I wanted to run it by the list to see what should be expected.

I have been following Alexander’s guidelines (https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions) to develop this.

I am able to establish a kerberized connection to https://hostname/ipa/session/login_kerberos with the HttpClient, Krb5LoginModule, using AuthSchemes.SPNEGO, proper referer header, and jaas config. The connection is successful and I am caching the ipa-session cookie string for subsequent use (sending a second command). I am performing this as a PrivilegedAction.

After successful authentication, I send a second transaction - a typical “list users” json formatted command to the server at https://hostname/ipa/json. I first attempted this without implementing PrivilegedAction since Alexander’s guide indicated I did NOT need to do any more authentication once  I had a session key. I added a cookie header to a plain https transaction with the session cookie. This did not work - which surprised me. The app actually prompted me at this point for login credentials. Any thoughts here?

I decided to create a new PrivilegedAction class to send subsequent json transactions to the server. I moved my code for the 2nd connection in there. This works. But as a test, I commented out instructions to explicitly add the session cookie to the transaction. And it still works. I found that I do not explicitly have to add the cookie header. I am assuming that HttpClient natively handles cookies without explicit interaction.

Anyone with any HttpClient experience that could shed some light on some of the behaviors and whether they should be expected?

It does appear that I have a working client in any case.

Tim Worman

More information about the Freeipa-devel mailing list