在SharePoint上禁止抛出403的肥皂水

Question

我在使用suds对SharePoint 2010网站使用python-ntlm程序包进行身份验证时遇到问题。 我已经尝试过在此线程中链接的解决方案， 但是没有运气。

我正在运行Python 2.7.10，suds 0.4和python-ntlm 1.1.0。

这是我的代码：

from suds.client import *
from suds.transport.https import WindowsHttpAuthenticated

import logging
logging.basicConfig(level=logging.INFO)
logging.getLogger('suds.client').setLevel(logging.DEBUG)
logging.getLogger('suds.transport').setLevel(logging.DEBUG)
logging.getLogger('ntlm').setLevel(logging.DEBUG)

url = "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx?WSDL"
ntlm = WindowsHttpAuthenticated(username='DOMAIN\UserName',
                                password='Password')
client = Client(url, transport=ntlm)
client.service.GetListCollection()

这是调试输出：

DEBUG:suds.transport.http:opening (https://web.site.com/sites/Collection/_vti_bin/Lists.asmx?WSDL)
DEBUG:suds.transport.http:opening (http://www.w3.org/2001/XMLSchema.xsd)
DEBUG:suds.transport.http:opening (http://www.w3.org/2001/xml.xsd)
DEBUG:suds.client:sending to (https://web.site.com/sites/Collection/_vti_bin/Lists.asmx)
message:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <ns0:Body>
      <ns1:GetListCollection/>
   </ns0:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:headers = {'SOAPAction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"', 'Content-Type': 'text/xml; charset=utf-8'}
DEBUG:suds.transport.http:sending:
URL:https://web.site.com/sites/Collection/_vti_bin/Lists.asmx
HEADERS: {'SOAPAction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"', 'Content-Type': 'text/xml; charset=utf-8', 'Content-type': 'text/xml; charset=utf-8', 'Soapaction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"'}
MESSAGE:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><ns0:Body><ns1:GetListCollection/></ns0:Body></SOAP-ENV:Envelope>
ERROR:suds.client:<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <ns0:Body>
      <ns1:GetListCollection/>
   </ns0:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:http failed:
403 FORBIDDEN
Traceback (most recent call last):
  File "C:/Users/username/PycharmProjects/Suds/soap.py", line 14, in <module>
    client.service.GetListCollection()
  File "C:\Python27\lib\site-packages\suds\client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "C:\Python27\lib\site-packages\suds\client.py", line 602, in invoke
    result = self.send(soapenv)
  File "C:\Python27\lib\site-packages\suds\client.py", line 649, in send
    result = self.failed(binding, e)
  File "C:\Python27\lib\site-packages\suds\client.py", line 708, in failed
    raise Exception((status, reason))
Exception: (403, u'Forbidden')

但是，等效项在cURL中工作得很好（为便于阅读而格式化）

curl -u 'Username':'Password' --ntlm -X POST \
 -H 'Content-Type: text/xml'\
 -H 'SOAPAction: "http://schemas.microsoft.com/sharepoint/soap/GetListCollection"' \
 "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx" \ 
 --data-binary @soapenvelope.xml

我还没有找到一种方法来强制Suds通过Fiddler代理同时通过NTLM身份验证。 在这里概述，似乎无论如何都忽略代理设置，我找不到通过提琴手来混合和匹配本地代理并使它尝试对Lists Web服务进行NTLM身份验证的方法。

环境信息（以使其易于搜索）：

• SharePoint 2010
• 基于表单的身份验证/ FedAuth
• 使用SAML v1.x的外部Oracle SSO

Answer 1

在对NTLM协议进行了大量阅读之后，我发现cURL在第一个请求上发送了NTLM Type 1消息。 但是，suds（和PowerShells的New-WebServiceProxy ）没有这样做。 它正在获取403 Forbidden，但没有进行握手过程，因为这是意外的。 使用python-ntlm3的create_NTLM_NEGOTIATE_MESSAGE() ，我能够生成该类型1消息。

通过在Type 1消息中添加“ Authorization”标头，这WindowsHttpAuthenticated 401未经授权，并导致WindowsHttpAuthenticated完成了预期的握手。

from ntlm3 import ntlm
from suds.client import Client
from suds.transport.https import WindowsHttpAuthenticated

url = "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx"
wsdl = (url + "?WSDL")
domain = 'DOM'
username = 'USER'
password = 'PASS'

transport = WindowsHttpAuthenticated(username=username,
                                     password=password)
client = Client(url=wsdl,
                location=url,
                transport=transport)

negotiate = "%s\\%s" % (domain, username)
ntlmauth = 'NTLM %s' % ntlm.create_NTLM_NEGOTIATE_MESSAGE(negotiate).decode('ascii')
header = {'Authorization': ntlmauth}
client.set_options(headers=header)
client.service.GetList('Test')

这一切发生的神奇原因是因为我们使用了基于表单的身份验证（FBA）。 正常的身份验证请求被路由到Oracle SSO，这就是为什么（我认为）它没有正常响应并导致403 Unauthorized。

希望这有助于防止某人将头撞在墙上。