Wednesday, April 10, 2013

CMIS: What are Secondary object types?

The main advantage of ECM servers over file servers is the ability to have metadata about the documents, and the ability to define what metadata should exist, on what kind of document.

For instance, an ECM administrator might decide that pictures should have a height and a width metadata, while bills should have a price metadata. In CMIS parlance, pictures and bills are called "primary types".

Most ECM servers also have a "secondary type" concept. Secondary types are more transverse, and can be applied to documents of any primary type. For instance, "Confidentiality" can be applied to images as well as bills. A document can only have one primary type, but can have several secondary types.
A few examples: Versionability, effectivity, geographic details, audio details, ...

Forgotten in CMIS 1.0, secondary types are now part of the CMIS 1.1 standard, which should be official soon.

Example with Alfresco

In Alfresco, a secondary type is called an "aspect". You can easily add aspects to any document. There are predefined aspects, but you can also define custom aspects.

For instance, let's say we manage field observation reports, and each observation report has a latitude and longitude. So, let's add the predefined "Geographic" secondary type to a document. In the document's details page, click on "Manage Aspects":


 Then add the "Geographic" aspect:




The latitude and longitude are now part of the document's metadata properties:


Looks nice in the Alfresco client, but how is it via CMIS?

The CMIS 1.1 standard is not official yet, so unfortunately in Alfresco 4.2.0, secondary type properties can not yet be seen in the CMIS properties:


Instead, you have to get them via the CMIS extensions, which is a mechanism for vendor-specific tricks:


Actually, there is an open source Java library that makes it easy to retrieve them from there. But I would suggest waiting for CMIS 1.1, you will then be able to use secondary type properties easily, in a way that will work on all ECM servers.

Nicolas Raoul

Thursday, April 4, 2013

How to get the HTTPS headers?

Long-time sniffers remember tracking HTTP headers down the wire using Ethereal (now Wireshark), but this has become impossible in environments where everything is encrypted (HTTPS).

In such environments, tracking headers means monitoring either directly within the server process (difficult in clouds), or within the client process (typically a browser).

Recently I had to reverse-engineer the convoluted authentication to the CMIS endpoint of a Sharepoint server. Below is my tale, and the tools I tried (spoiler: only the last one did the job).

Contestant 1: Chrome Developer Tools

In Chrome, I start Incognito mode (CTRL-SHIFT-N) to make sure no saved passwords/cookies interfere, fire up the Developer Tools (CTRL-SHIFT-I), select "Network" to see the requests, and launch the request.

As seen in the screenshot below, Chrome shows the conversation between client and server. Something sounds fishy: Only 2 requests, and the last one is marked as "canceled" even though download succeded... let's try another tool!



Contestant 2: Firefox Web Console

In Firefox, I start Private Browsing mode (CTRL-SHIFT-P), fire up the Web Console (CTRL-SHIFT-K), unselect everything but "Net", and launch the request.

Firefox wins over Chrome by showing the right number of requests (four):


Now to the job: Getting the HTTPS headers!
I click on a request, and something awful happens: a totally unusable window appears, displaying what I need (request headers and response headers), but preventing me from copy-pasting it.

Mouse selection goes crazy, and copying everything results in an unusable long string containing everything aggregated without spaces [1]. Not to mention the inexact timestamp [2], the content that does not scale with the window [3], and the weird titles font style [4].


Fine if you just want to see the headers, but real hackers want to script-parse and diff the headers, right? Next!


Winner: Httpfox

In Firefox, after having installed the Httpfox extension, I start Private Browsing, fire up Httpfox (SHIFT-F2), press "Start", and launch the request.
The lower part shows the headers, and copying them is accessible via the context menu... perfect!



Conclusion: Httpfox is the easiest way to get HTTPS headers.
If you know any other convenient tool, please let us know in the comments!
Nicolas Raoul