Consume Maximo RESTful Service using Java code

Question

I am using Maximo 7.5 REST API and want to write REST client in java to consume this RESTful service. I have enabled Maximo security in Maximo 7.5 side to keep the Maximo users to access its own REST services. Below is my web.xml for Maximo RESTful service looks like.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>REST Servlet for Web App</web-resource-name>
            <description>Object Structure Service Servlet (HTTP POST) accessible by authorized users</description>
            <url-pattern>/rest/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>Roles that have access to Object Structure Service Servlet (HTTP POST)</description>
            <role-name>maximouser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description>data transmission gaurantee</description>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>REST Web Application Realm</realm-name>        
    </login-config>

I am successfully able to query the Maximo REST service using the Chrome's Postman plugin. Below 2 are my Postman's (REST client) Headers. 1. MAXAUTH - bWF4YWRtaW46bWF4YWRtaW4= 2. Accept - Application/xml

Though I have given the authorization (MAXAUTH) in headers, I used to get the pop-up window to enter username and password to query Maximo REST service. Once I give the credentials, I get the response (shown below)

The below is my Java code to consume above same RESTful service. I am continuously getting 401 error and though I am giving credentials as property, it is not authorizing it.

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;

public class RESTConsume {

    // http://localhost:8080/RESTfulExample/json/product/get
    public static void main(String[] args) {

        try {

            URL url = new URL("HOSTNAME/maxrest/rest/os/mxperson?personid=maxadmin");
            HttpURLConnection connection = (HttpURLConnection) url.openConnection();
            connection.setRequestMethod("GET");
            connection.setRequestProperty("Accept", "Application/xml");
            connection.setRequestProperty("MAXAUTH", "bWF4YWRtaW46bWF4YWRtaW4=");
            System.out.println("Output from Server ....1 \n");

            /*
             * if (conn.getResponseCode() != 200) {
             * System.out.println("Output from Server ....2 \n");
             * 
             * throw new RuntimeException("Failed : HTTP error code : "+
             * conn.getResponseCode()); }
             */
            System.out.println("Output from Server ....3 \n");

            BufferedReader br = new BufferedReader(new InputStreamReader(
                    (connection.getInputStream())));
            System.out.println("Output from Server ....4 \n");

            String output;
            System.out.println("Output from Server .... \n");
            while ((output = br.readLine()) != null) {
                System.out.println(output);
            }

        } catch (MalformedURLException e) {

            e.printStackTrace();

        } catch (IOException e) {

            e.printStackTrace();

        }

    }

}

Below is my output:

Output from Server ....1 

Output from Server ....3 

java.io.IOException: Server returned HTTP response code: 401 for URL: http://vhost0043.dc1.co.us.compute.ihost.com/maxrest/rest/os/mxperson?personid=maxadmin
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at RESTConsume.main(RESTConsume.java:35)

It is working for different RESTful service (not Maximo RESTful service)and getting the response as expected for which we don't have any security was not enabled. Please let me know if i need to do something extra to consume Maximo RESTful service.

Answer 1

If user:password is your username and password then encode64 "user:password" (such as with this tool: https://www.base64encode.org/ ). Then if "imimastrangestring" is the output of encode64 set that as the request property "MAXAUTH": connection.setRequestProperty("MAXAUTH", "iamastrangestring");

Answer 2

服务期望用户名和密码或maxauth无效，因此在浏览器的情况下，它会提示您明确输入，但如果是maximo，则获得401.请尝试在请求中提供用户名和密码标头。

Answer 3

You need to add the username and password parameters using basic http:

.../os/mxperson?_lid=username&_lpwd=password&_format=xml&personid=MAXADMIN

I think you can only use AUTH headers when using LDAP.

Answer 4

Dredging up an old question here, but I was directed to this answer from Google when "I" had the same problem, so maybe this will help someone else.

I was looking at this IBM article: https://www.ibm.com/support/knowledgecenter/en/SSLKT6_7.6.0/com.ibm.mif.doc/gp_intfrmwk/rest_api/c_rest_security.html In it, it lists two different authentication options. It seems rather obvious to me now, but the block of XML the first section of the article suggests to change (and that you show as changed in your post) opens up HTTP Basic Authentication . Without those settings you need to use native authentication. This took me bit to realize, and also appears to be the source of your confusion.

That means, with the standard Maximo setup, it is configured to use native authentication. You need to supply the MAXAUTH header property with a value of " <username>:<password> " base64 encoded. Maximo will decode it and get the username and password and compare them to its internal database. If they match, the request is considered authenticated and the service will return its results. If they don't match, you are considered unauthenticated and you get the 401 error. This means Maximo is doing the authentication against its database.

If you change the settings described in the linked article, and as you have done and shown in your question, then you are saying you don't want to use that form authentication (I assume it actually turns off that form of authentication). You are then saying that you want the application server to do the authentication against the app server's "database" instead of Maximo's. This is what you want if you want to be validated against LDAP (Active Directory) or something similar instead.

In this case, the username and password need to be sent using the HTTP Basic Authentication standard instead. See: https://en.wikipedia.org/wiki/Basic_access_authentication That means you need to supply a header called "Authorization" instead of "MAXAUTH" and the value of that header must be the string "Basic " (note the capitalization and the space) plus the base64 encoded string of " <username>:<password> ". For example, for the user "maxadmin" with the password "maxadmin", the "Authorization" header's value would be "Basic bWF4YWRtaW46bWF4YWRtaW4=". The application server gets that and decodes the username and password. It then checks those against what it is configured to authorize users against (a database of its own, LDAP, something else, some combination of that). If they don't match (which they won't if you aren't even supplying this information), then the request is considered unauthenticated and you get the 401 response back. If they do match, the request/user is considered authenticated and then the app server will map this request/user to a role (or many roles), depending on your app server settings for the deployed application (that goes into a different LDAP configuration discussion I don't want to tangent into here; this is already too long as-is). That role(s) is then passed to Maximo for the request. Maximo takes that role(s) and checks to see if it matches what is configured in its XML configuration (that you quoted in your question and that is shown in the linked IBM article earlier). If they don't match, I think you are considered unauthorized and an error is sent back. If they do match, the request is considered authorized, is allowed through and the service returns its response.