Showing results for 
Search instead for 
Did you mean: 

Authentication failure in java client using BOSH into finesse notification server


I am writing a third party application running in a server environment that needs to get notifications from Finesse server. I have written the app in Java and I am using Babbler 0.7 as the means of creating an XMPP session. I can see the finesse server (I guess I mean openfire) replying with available stream mechanisms. In this case it seems only PLAIN is supported.

<body xmlns="" xmlns:stream="" authid="89f6eb70" sid="89f6eb70" secure="true" requests="4" inactivity="60" polling="5" wait="60" hold="1" ack="1535782836973282" maxpause="300" ver="1.6">
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<compression xmlns="">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
<session xmlns="urn:ietf:params:xml:ns:xmpp-session"/>

My app then sends a log in request using PLAIN:

<body xmlns="" rid="1535782836973283" sid="89f6eb70">
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AEJUNjQ4ODkAMTIzNDU2Nzg=</auth>

but gets the following rejection:

<body xmlns="">
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">

I have checked the BASE64 encoding and it follows the \0+username+\0+password format that I would expect with the PLAIN mechanism and the account I am using is one that I can login with to the login server using Jabber. I have tried the Administration account and similarly it fails.

I have also tried "restclient" to send RESTful requests into Finesse using the same account via the http "Authorized" header, and that works. Is there an enablement stage to allow XMPP access from a third part app that I may have overlooked?

Many thanks

2 Replies 2


I have only just been able to get to the logs but I think I see what is going on now. The “not-authorized” return I keep getting isn’t strictly true. If I use BTTest1 as the user to login to the finesse notification server I get a genuine unauthorized response back. It seems that BTTest1 is not recognized by finesse notification server.

  1. 2016.06.15 10:05:50 << "HTTP/1.1 401 Unauthorized[\r][\n]"

  1. 2016.06.15 10:05:50 HTTPBindLog: HTTP SENT(f7387897): <body xmlns=''><failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure></body>

If I use the administrator account details then finesse server returns “Not Found” in response to:

  1. 2016.06.21 10:28:36 >> "GET /finesse/api/User/administrator HTTP/1.1[\r][\n]"

  1. 2016.06.21 10:28:36 << "HTTP/1.1 404 Not Found[\r][\n]"

However as this “GET” activity is still part of the login process (not anything directly driven by my client) what is actually returned to my client is “Not-authorized” again. The reason for the failure is that it is looking for “/finesse/api/User/administrator” which does not exist. It looks like I need an account which is recognized by the finesse notification server like the administrator but which is also a Cisco agent. Is that a correct interpretation of these results? I hope you can help.

Thus is the full authorization part of the log using the administrator account:

2016.06.21 10:28:36 HTTPBindLog: HTTP RECV(f8be244): <body rid="210641646423296" sid="f8be244"><auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">removed</auth></body>

2016.06.21 10:28:36 consumeResponse: org.jivesoftware.openfire.http.HttpSession@130e87 status: 1 address: sllfin.slllab.icm/f8be244 id: f8be244 presence:

<presence type="unavailable"/> rid: 210641646423296

2016.06.21 10:28:36 suspended org.eclipse.jetty.server.nio.SelectChannelConnector$SelectChannelHttpConnection@dad1e8@<->

2016.06.21 10:28:36 AWSAuthProvider:Authentication request received: username=administrator

2016.06.21 10:28:36 AWSAuthProvider:awsHost and awsPort retrieved from properties is: localhost and 8080

2016.06.21 10:28:36 AWSAuthProvider:administrator is to use custom authentication

2016.06.21 10:28:36 Set parameter http.connection.timeout = 30000

2016.06.21 10:28:36 Set parameter http.authentication.preemptive = true

2016.06.21 10:28:36 Preemptively sending default basic credentials

2016.06.21 10:28:36 Authenticating with BASIC <any realm>@localhost:8080

2016.06.21 10:28:36 Credential charset not configured, using HTTP element charset

2016.06.21 10:28:36 Open connection to localhost:8080

2016.06.21 10:28:36 >> "GET /finesse/api/User/administrator HTTP/1.1[\r][\n]"

2016.06.21 10:28:36 Adding Host request header

2016.06.21 10:28:36 >> "Authorization: Basic removed [\r][\n]"

2016.06.21 10:28:36 >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"

2016.06.21 10:28:36 >> "Host: localhost:8080[\r][\n]"

2016.06.21 10:28:36 >> "[\r][\n]"

2016.06.21 10:28:36 << "HTTP/1.1 404 Not Found[\r][\n]"

2016.06.21 10:28:36 << "HTTP/1.1 404 Not Found[\r][\n]"

2016.06.21 10:28:36 << "Pragma: No-cache[\r][\n]"

2016.06.21 10:28:36 << "Cache-Control: no-cache[\r][\n]"

2016.06.21 10:28:36 << "Expires: Thu, 01 Jan 1970 00:00:00 UTC[\r][\n]"

2016.06.21 10:28:36 << "Content-Type: text/html;charset=utf-8[\r][\n]"

2016.06.21 10:28:36 << "Content-Length: 2211[\r][\n]"

2016.06.21 10:28:36 << "Date: Tue, 21 Jun 2016 10:28:36 GMT[\r][\n]"

2016.06.21 10:28:36 << "Server: [\r][\n]"

2016.06.21 10:28:36 << "[\r][\n]"

2016.06.21 10:28:36 Buffering response body

2016.06.21 10:28:36 Resorting to protocol version default close connection policy

2016.06.21 10:28:36 Should NOT close connection, using HTTP/1.1

2016.06.21 10:28:36 Releasing connection back to connection manager.

2016.06.21 10:28:36 REQUEST /http-bind/ on org.eclipse.jetty.server.nio.SelectChannelConnector$SelectChannelHttpConnection@dad1e8@<->

2016.06.21 10:28:36 scope null||/http-bind/ @ o.e.j.s.ServletContextHandler{/http-bind,null}

2016.06.21 10:28:36 context=/http-bind||/ @ o.e.j.s.ServletContextHandler{/http-bind,null}

2016.06.21 10:28:36 sessionManager=org.eclipse.jetty.server.session.HashSessionManager@1e6cecc#STARTED

2016.06.21 10:28:36 session=null

2016.06.21 10:28:36 servlet /http-bind||/ -> org.jivesoftware.openfire.http.HttpBindServlet-33000926

2016.06.21 10:28:36 chain=null

2016.06.21 10:28:36 consumeResponse: org.jivesoftware.openfire.http.HttpSession@130e87 status: 1 address: sllfin.slllab.icm/f8be244 id: f8be244 presence:

<presence type="unavailable"/> rid: 210641646423296

2016.06.21 10:28:36 HTTPBindLog: HTTP SENT(f8be244): <body xmlns=''><failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure></body>


Sorry for the late reply. Your post has been moved from the general developer forum to the Finesse forum. For faster response, please post your Finesse questions directly to the Finesse forum in the future.

Each user/agent should be logging in via XMPP, so when making this login request, you should be using the user/agent (which should also be successful if logged in via Finesse REST API request). The best thing to do to see if you are using the right user & settings is to use an XMPP client application to test it out. If using Windows, follow the instructions from the Lab Development Environment Validation with Cisco Finesse Web Services APIs section of the Developer guide. If using a Mac, I have successfully used Adium but you have to turn on XMPP using the hidden preference option. (For some reason, there are some issues with the Adium site right now).



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers