Content Management Interoperability Services (CMIS) Version 1.1

More documents

Recommendations

Info

} ) } "repositoryId":"A1", "repositoryDescription":"A Repository", "vendorName":"OASIS", "productName":"Repository Server", "productVersion":"1.0", "cmisVersionSupported":"1.1", "changesIncomplete":true, "rootFolderUrl":"http:\/\/example.com\/cmis\/repository\/123\/root", "latestChangeLogToken":"0", "rootFolderId":"100", "repositoryName":"Apache Chemistry OpenCMIS InMemory Repository", "repositoryUrl":"http:\/\/example.com\/cmis\/repository\/123", "changesOnType":[]. "capabilities":{ "capabilityContentStreamUpdatability":"anytime", "capabilityPWCSearchable":false, "capabilityQuery":"bothcombined", "capabilityRenditions":"none", "capabilityACL":"none", "capabilityGetFolderTree":true, "capabilityGetDescendants":true, "capabilityVersionSpecificFiling":false, "capabilityUnfiling":true, "capabilityJoin":"none", "capabilityAllVersionsSearchable":false, "capabilityMultifiling":true, "capabilityChanges":"none", "capabilityPWCUpdatable":true }, 5.2.9 Authentication This specification RECOMMENDS the authentication mechanisms described in the following sections. Repositories MAY provide more, other or no authentication mechanisms. Furthermore, this specification RECOMMENDS the use of HTTPS (see [RFC2818]) to protect credentials and data. 5.2.9.1 Basic Authentication for Non-Browser Clients Repositories SHOULD accept HTTP Basic Authentication (see [RFC2617] Section 2). If the provided credentials are incorrect or unknown or entirely missing, a repository MAY return the HTTP status code 403 (Forbidden) instead of the HTTP status code 401 (Unauthorized). This prevents web browsers from providing a login dialog and subsequently remembering the credentials. This in turn can prevent a form of cross-site request forgery (CSRF). 5.2.9.2 Authentication with Tokens for Browser Clients The authentication mechanism described in this section addresses the following scenario: A web application is hosted on one domain; the CMIS browser binding interface is served from another domain. There is no proxy process on the server that hosts the web application. That is, all communication between the application and the repository has to happen in the web browser via JavaScript. The "sameorigin policy" (see [SameOriginPolicy]) enforced by the web browser prohibits a direct and secure two-way communication between the application and the repository. To access the repository, a user has to authenticate and has to authorize the application (and only this application, not all scripts in the web browser) to make CMIS calls. CMIS-v1.1-csprd01 Standards Track Work Product Copyright © OASIS Open 2012. All Rights Reserved. 18 August 2012 Page 262 of 331
5.2.9.2.1 JSONP and Form Requests Cross-domain requests should use JSONP and callbacks (see section 5.2.8 Callback) for GET requests and should use HTML forms for POST requests. A token SHOULD be added to each request to prevent cross-site request forgery (CSRF) attacks. For this purpose, a parameter token MUST be added to the parameters of a GET request and a control token MUST be added to the controls of a HTML form. The repository SHOULD return a permissionDenied error if the client sends an invalid token. If the client sends any other form of authentication (Basic Authentication, OAuth, etc.), the token MAY be omitted. It is RECOMMENDED for web applications always to provide a token, even if another form of authentication is in place. 5.2.9.2.2 Login and Tokens Tokens are obtained from the repository in the following way. The repository provides a JavaScript script that the web application includes into its HTML page via the HTML tag. This script provides four functions: cmisServiceURL() This function returns the Service URL. See section 5.3.1 Service URL. cmisLogin(callback) This function triggers the login process. The web application MUST call this function before it calls any other functions. How the login works is repository specific. A repository MAY replace the application page in the web browser with a login page and later return back to the application page. The function takes a callback function. It is called when the login process has been completed. The callback function MUST accept a boolean parameter. The repository MUST provide TRUE if the login process was successful and FALSE if it was not successful. cmisLogout(callback) This function triggers the logout process. How the logout works is repository specific. After a successful logout, cmisNextToken() MUST NOT return a valid token. The application MAY call cmisLogin() again to trigger a new login. The function takes a callback function. It is called when the logout process has been completed. The callback function MUST accept a boolean parameter. The repository MUST provide TRUE if the logout process was successful and FALSE if it was not successful. cmisNextToken(callback) This function calls the provided callback function with a new token. How this token is generated and obtained is repository specific. Whether the repository returns unique tokens or the same token for a user or for all users is repository specific. The repository SHOULD signal an invalid state (e.g. no logged in user) with an empty token (empty string). The flow in a web application could looks like this: cmisLogin(function(success) { if (success) { displayRootFolder(); } else { showLoginErrorMessage(); } }); function displayRootFolder() { cmisNextToken(function(token) { loadChildren('/', ..., token); }); } CMIS-v1.1-csprd01 Standards Track Work Product Copyright © OASIS Open 2012. All Rights Reserved. 18 August 2012 Page 263 of 331
Page 1 and 2:
Content Management Interoperability
Page 3 and 4:
Notices Copyright © OASIS Open 201
Page 5 and 6:
2.1.12 Access Control . . . . . . .
Page 7 and 8:
3.3.1 CMIS Atom . . . . . . . . . .
Page 9 and 10:
4.3.1 updateProperties and checkIn
Page 11 and 12:
B.2 A subset of JSONSchema . . . .
Page 13 and 14:
[RFC4287] [RFC4288] [RFC4627] [RFC4
Page 15 and 16:
1.5.7 Service bulkUpdateProperties
Page 17 and 18:
capabilityOrderBy Indicates the ord
Page 19 and 20:
ACL Capabilities • queryName •
Page 21 and 22:
MAY also have one or more rendition
Page 23 and 24:
2.1.3 Object-Type An object-type de
Page 25 and 26:
fileable Boolean Indicates whether
Page 27 and 28:
updatability Enum Indicates under w
Page 29 and 30:
maxValue Integer The maximum value
Page 31 and 32:
2.1.4 Document Object Document obje
Page 33 and 34:
2.1.4.3 Document Object-Type Defini
Page 35 and 36:
cmis:name Property Type: Inherited:
Page 37 and 38:
cmis:createdBy Property Type: Inher
Page 39 and 40:
cmis:isImmutable Property Type: Inh
Page 41 and 42:
cmis:isPrivateWorkingCopy Property
Page 43 and 44:
cmis:versionSeriesCheckedOutBy Prop
Page 45 and 46:
cmis:contentStreamMimeType Property
Page 47 and 48:
2.1.5 Folder Object A folder object
Page 49 and 50:
A Folder Graph Root Folder A folder
Page 51 and 52:
controllablePolicy Value: controll
Page 53 and 54:
cmis:objectTypeId Property Type: In
Page 55 and 56:
cmis:changeToken Property Type: Inh
Page 57 and 58:
2.1.6 Relationship Object A relatio
Page 59 and 60:
fileable Value: FALSE queryable Val
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
2.1.7 Policy Object A policy object
Page 67 and 68:
2.1.7.1.2 Property Definitions The
Page 69 and 70:
cmis:secondaryObjectTypeIds Propert
Page 71 and 72:
cmis:policyText Property Type: Inhe
Page 73 and 74:
fileable Value: queryable Value:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
2.1.9.2.1 Attribute Values The seco
Page 81 and 82:
2.1.10 Object-Type Creation, Modifi
Page 83 and 84:
CMIS Object cmis:objectId : Id cmis
Page 85 and 86:
2.1.12 Access Control A repository
Page 87 and 88:
For convenience, the list groups al
Page 89 and 90:
canGetProperties Description: Base
Page 91 and 92:
Description: Base Type: Operand: Ke
Page 93 and 94:
canApplyPolicy Description: Base Ty
Page 95 and 96:
2.1.13 Versioning CMIS supports ver
Page 97 and 98:
2.1.13.5.3 Discarding Check out An
Page 99 and 100:
The repository MAY also create new
Page 101 and 102:
2.1.14 Query CMIS provides a type-b
Page 103 and 104:
Query Search Scope B is a subtype o
Page 105 and 106:
ANY [ NOT ] IN "(" ")" ::= CONTA
Page 107 and 108:
Property Type Operators supported o
Page 109 and 110:
Usage: This is a predicate function
Page 111 and 112:
Inputs: The value of this optional
Page 113 and 114:
2.1.15 Change Log CMIS provides a "
Page 115 and 116:
2.1.16 Retentions and Holds Retenti
Page 117 and 118:
cmis:secondary cmis:rm_repMgtReten3
Page 119 and 120:
If a repository supports Client Man
Page 121 and 122:
queryable Value: SHOULD be TRUE con
Page 123 and 124:
controllablePolicy Value: FALSE con
Page 125 and 126:
description Value: creatable Value
Page 127 and 128:
The CMIS service operations that su
Page 129 and 130:
2.2.1.2.4.1 Rendition Filter Gramma
Page 131 and 132:
Common CMIS properties: The followi
Page 133 and 134:
versioning Intent: The operation is
Page 135 and 136:
2.2.2.1 getRepositories Description
Page 137 and 138:
asic Indicates that the CMIS basic
Page 139 and 140:
2.2.2.4 getTypeDescendants Descript
Page 141 and 142:
2.2.2.6 createType Description: Cre
Page 143 and 144:
2.2.2.8 deleteType Description: Del
Page 145 and 146:
2.2.3.1 getChildren Description: Ge
Page 147 and 148:
2.2.3.2.3 Exceptions Thrown & Condi
Page 149 and 150:
• invalidArgument If the service
Page 151 and 152:
2.2.3.5 getObjectParents Descriptio
Page 153 and 154:
2.2.4 Object Services CMIS provides
Page 155 and 156:
• constraint If the contentStream
Page 157 and 158:
• constraint If the versionable a
Page 159 and 160:
2.2.4.4 createRelationship Descript
Page 161 and 162:
2.2.4.6 createItem Description: Cre
Page 163 and 164:
2.2.4.8 getObject Description: Gets
Page 165 and 166:
2.2.4.10 getObjectByPath Descriptio
Page 167 and 168:
2.2.4.12 getRenditions Description:
Page 169 and 170:
2.2.4.14 bulkUpdateProperties Descr
Page 171 and 172:
2.2.4.16 deleteObject Description:
Page 173 and 174:
2.2.4.18 setContentStream Descripti
Page 175 and 176:
2.2.4.20 deleteContentStream Descri
Page 177 and 178:
2.2.5.1 addObjectToFolder Descripti
Page 179 and 180:
2.2.6 Discovery Services The Discov
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
2.2.7.1 checkOut Description: Creat
Page 187 and 188:
2.2.7.3 checkIn Description: Checks
Page 189 and 190:
2.2.7.5 getPropertiesOfLatestVersio
Page 191 and 192:
2.2.8 Relationship Services The Rel
Page 193 and 194:
Page 195 and 196:
2.2.9.1 applyPolicy Description: Ap
Page 197 and 198:
2.2.9.3 getAppliedPolicies Descript
Page 199 and 200:
2.2.10.1 applyACL Description: Adds
Page 201 and 202:
3 AtomPub Binding 3.1 Overview This
Page 203 and 204:
3.1.9 Services not Exposed The foll
Page 205 and 206:
• AtomPub Service (application/at
Page 207 and 208:
3.4.1.1.1 cmisra:collectionType Thi
Page 209 and 210:
href="http://example.com/rep1/rendi
Page 211 and 212: 3.4.3.2 Hierarchy Navigation Intern
Page 213 and 214: http://docs.oasis-open.org/ns/cmis/
Page 215 and 216: When POSTing an Atom Document, the
Page 217 and 218: ACL Policy Rel Versioning Disc Mult
Page 219 and 220: - cmisra:collectiontype = 'update'
Page 221 and 222: • If the value is 'latest' getObj
Page 223 and 224: application/atom+xml;type=entry 3.
Page 225 and 226: first, next, previous, last Paging
Page 227 and 228: Arguments: Media Type: Link Relatio
Page 229 and 230: Success Status Codes: • 201 Creat
Page 231 and 232: service Points to the service docum
Page 233 and 234: • application/atom+xml;type=entry
Page 235 and 236: 3.10.1.1 HTTP GET CMIS Services: Ar
Page 237 and 238: Arguments: Media Type: Link Relatio
Page 239 and 240: 3.10.4.2 HTTP DELETE This deletes t
Page 241 and 242: • cmisra:type inside atom:entry S
Page 243 and 244: Media Type: Link Relations: • inc
Page 245 and 246: Arguments: Media Type: Media Type:
Page 247 and 248: Media Type: Link Relations: • inc
Page 249 and 250: self Points to an URI that returns
Page 251 and 252: Accept: Media Type: • Atom Entry
Page 253 and 254: 3.11.8 Content Stream This is the c
Page 255 and 256: • onlyBasicPermissions Media Type
Page 257 and 258: 4.3 Additions to the Services secti
Page 259 and 260: Client to Repository Repository to
Page 261: CMIS and JSON types. CMIS string bo
Page 265 and 266: Example: GET /cmis/repository/123/m
Page 267 and 268: The Schema Elements mentioned in th
Page 269 and 270: 5.4.2.3 Selector "typeDescendants"
Page 271 and 272: 5.4.2.6 Action "createDocument" Ser
Page 273 and 274: 5.4.2.10 Action "createItem" Servic
Page 275 and 276: Example: Request: browser/doQuery-r
Page 277 and 278: 5.4.2.18 Selector "lastResult" HTTP
Page 279 and 280: 5.4.3.3 Selector "folderTree" Servi
Page 281 and 282: 5.4.3.6 Selector "checkedout" Servi
Page 283 and 284: 5.4.3.10 Action "createPolicy" Serv
Page 285 and 286: 5.4.3.14 Selector "properties" Serv
Page 287 and 288: 5.4.3.18 Action "update" Service: H
Page 289 and 290: 5.4.3.22 Action "setContent" Servic
Page 291 and 292: 5.4.3.26 Action "removeObjectFromFo
Page 293 and 294: 5.4.3.30 Selector "object" Service:
Page 295 and 296: 5.4.3.33 Selector "relationships" S
Page 297 and 298: 5.4.3.37 Action "applyACL" Service:
Page 299 and 300: Example: 5.4.4.3.2 Token This is u
Page 301 and 302: 5.4.4.3.11 Single-value Properties
Page 303 and 304: 5.4.4.3.16 Removing Access Cont
Page 305 and 306: 5.4.4.3.22 Unfile Objects Indicates
Page 307 and 308: 5.4.4.3.29.5 Include allowable acti
Page 309 and 310: Web Browser https://foo.example.com
Page 311 and 312: 5.4.4.4.1 Client Implementation Hin
Page 313 and 314:
Web Services Binding: Normative tex
Page 315 and 316:
Optional parameters: "charset": Thi
Page 317 and 318:
Published specification: This speci
Page 319 and 320:
B.3 A Non-Normative Tutorial A coll
Page 321 and 322:
B.3.8 Array Types Arrays are specif
Page 323 and 324:
string `{ "title": "Service Name",
Page 325 and 326:
B.4 The Normative Grammar Orderly_s
Page 327 and 328:
\b \f \n \r \t \u four-hex-digits j
Page 329 and 330:
Joyer, Mr. Neil Kadlabalu, Hareesh
Page 331:
CMIS-738 Add introduction sub-secti
show all

Content Management Interoperability Services (CMIS) Version 1.1

Create successful ePaper yourself

Delete template?

Save as template?