在SharePoint上投掷403 Forbidden的Suds

时间:2015-09-18 19:27:20

标签: python soap sharepoint-2010 suds

我遇到了使用针对SharePoint 2010网站的python-ntlm软件包进行身份验证的问题。我已尝试在this thread中链接的解决方案,但没有运气。

我正在运行Python 2.7.10,suds 0.4和python-ntlm 1.1.0。

这是我的代码:

from suds.client import *
from suds.transport.https import WindowsHttpAuthenticated

import logging
logging.basicConfig(level=logging.INFO)
logging.getLogger('suds.client').setLevel(logging.DEBUG)
logging.getLogger('suds.transport').setLevel(logging.DEBUG)
logging.getLogger('ntlm').setLevel(logging.DEBUG)

url = "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx?WSDL"
ntlm = WindowsHttpAuthenticated(username='DOMAIN\UserName',
                                password='Password')
client = Client(url, transport=ntlm)
client.service.GetListCollection()

这是调试输出:

DEBUG:suds.transport.http:opening (https://web.site.com/sites/Collection/_vti_bin/Lists.asmx?WSDL)
DEBUG:suds.transport.http:opening (http://www.w3.org/2001/XMLSchema.xsd)
DEBUG:suds.transport.http:opening (http://www.w3.org/2001/xml.xsd)
DEBUG:suds.client:sending to (https://web.site.com/sites/Collection/_vti_bin/Lists.asmx)
message:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <ns0:Body>
      <ns1:GetListCollection/>
   </ns0:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:headers = {'SOAPAction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"', 'Content-Type': 'text/xml; charset=utf-8'}
DEBUG:suds.transport.http:sending:
URL:https://web.site.com/sites/Collection/_vti_bin/Lists.asmx
HEADERS: {'SOAPAction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"', 'Content-Type': 'text/xml; charset=utf-8', 'Content-type': 'text/xml; charset=utf-8', 'Soapaction': u'"http://schemas.microsoft.com/sharepoint/soap/GetListCollection"'}
MESSAGE:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><ns0:Body><ns1:GetListCollection/></ns0:Body></SOAP-ENV:Envelope>
ERROR:suds.client:<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <ns0:Body>
      <ns1:GetListCollection/>
   </ns0:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:http failed:
403 FORBIDDEN
Traceback (most recent call last):
  File "C:/Users/username/PycharmProjects/Suds/soap.py", line 14, in <module>
    client.service.GetListCollection()
  File "C:\Python27\lib\site-packages\suds\client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "C:\Python27\lib\site-packages\suds\client.py", line 602, in invoke
    result = self.send(soapenv)
  File "C:\Python27\lib\site-packages\suds\client.py", line 649, in send
    result = self.failed(binding, e)
  File "C:\Python27\lib\site-packages\suds\client.py", line 708, in failed
    raise Exception((status, reason))
Exception: (403, u'Forbidden')

但是,等效在cURL中完全正常(格式化为可读性)

curl -u 'Username':'Password' --ntlm -X POST \
 -H 'Content-Type: text/xml'\
 -H 'SOAPAction: "http://schemas.microsoft.com/sharepoint/soap/GetListCollection"' \
 "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx" \ 
 --data-binary @soapenvelope.xml

我也无法找到一种方法来强制suds通过Fiddler代理同时传递NTLM身份验证。概述here,似乎无论如何都忽略了代理设置,我找不到通过fiddler 混合和匹配本地代理的方法让它尝试对列表Web服务进行NTLM身份验证

环境信息(使其易于搜索):

  • SharePoint 2010
  • 基于表单的身份验证/ FedAuth
  • 使用SAML v1.x的外部Oracle SSO

1 个答案:

答案 0 :(得分:1)

good amount of reading for the NTLM protocol之后,我发现cURL正在第一个请求上发送NTLM Type 1消息。但是,suds(和PowerShells'New-WebServiceProxy)没有这样做。它正在获得403 Forbidden,但没有进行握手过程,因为这是出乎意料的。使用create_NTLM_NEGOTIATE_MESSAGE()中的python-ntlm3,我能够生成该类型1消息。

通过添加带有Type 1消息的'Authorization'标头,强制401 Unauthorized,并导致WindowsHttpAuthenticated按预期完成握手。

from ntlm3 import ntlm
from suds.client import Client
from suds.transport.https import WindowsHttpAuthenticated

url = "https://web.site.com/sites/Collection/_vti_bin/Lists.asmx"
wsdl = (url + "?WSDL")
domain = 'DOM'
username = 'USER'
password = 'PASS'

transport = WindowsHttpAuthenticated(username=username,
                                     password=password)
client = Client(url=wsdl,
                location=url,
                transport=transport)

negotiate = "%s\\%s" % (domain, username)
ntlmauth = 'NTLM %s' % ntlm.create_NTLM_NEGOTIATE_MESSAGE(negotiate).decode('ascii')
header = {'Authorization': ntlmauth}
client.set_options(headers=header)
client.service.GetList('Test')

所有这一切发生的神奇原因是因为我们使用基于表单的身份验证(FBA)。正常的身份验证请求被路由到Oracle SSO,这就是为什么(我相信)它没有正常响应并导致403 Unauthorized。

希望这有助于防止有人撞到墙上。

相关问题
最新问题