JDBC Driver for Microsoft SharePoint

Build 22.0.8462

Establishing a Connection

Creating a JDBC Data Source

You can create a JDBC data source to connect from your Java application. Creating a JDBC data source based on the CData JDBC Driver for Microsoft SharePoint consists of three basic steps:

  • Add the driver JAR file to the classpath. The JAR file is located in the lib subfolder of the installation directory. Note that the .lic file must be located in the same folder as the JAR file.
  • Provide the driver class. For example: 
    cdata.jdbc.sharepoint.SharePointDriver
  • Provide the JDBC URL. For example: 
    jdbc:sharepoint:User=MyUserAccount;Password=MyPassword;Auth Scheme=NTLM;URL=http://sharepointserver/mysite;

or

jdbc:cdata:sharepoint:User=MyUserAccount;Password=MyPassword;Auth Scheme=NTLM;URL=http://sharepointserver/mysite;

    The second format above can be used whenever there is a conflict in your application between drivers using the same URL format to ensure you are using the CData driver. The URL must start with either "jdbc:sharepoint:" or "jdbc:cdata:sharepoint:" and can include any of the connection properties in name-value pairs separated with semicolons.

Connecting to Microsoft SharePoint

Microsoft SharePoint works with all Lists and Documents in the global Microsoft Sharepoint site, as well as with individual sites. Set the URL connection property to your Site Collection URL to work with all Lists and Documents, or set it to a specific Site URL to work with Lists and Documents in that site only.

URLExample URL
Site Collectionhttps://teams.contoso.com
Site https://teams.contoso.com/teamA or https://teamA.contoso.com

In addition to providing the URL, use one of the following sets of connection properties to authenticate to SharePoint. The default values make it easy to connect in most environments, as shown below. Sharepoint supports online (cloud-based) and on-premises architectures. Each architecture supports a different set of authentication schemes.

Online and on-prem authentication are discussed in turn below.

Authenticating to SharePoint Online

Set SharePointEdition to "SharePoint Online" and set the User and Password to the credentials you use to log onto SharePoint, for example, the credentials to your Microsoft Online Services account.

The following authentication schemes are supported:

  • AzureAD
  • Single sign-on (SSO) schemes
  • MSI
  • OAuthJWT
The following SSO identity providers are supported:

  • ADFS
  • OneLogin
  • Okta
  • PingFederate

If the user account domain is different from the domain configured with the identity provider, set SSODomain to the latter. This property may be required for any SSO.

AzureAD

Azure Active Directory (AzureAD) is a connection type that leverages OAuth to authenticate. OAuth requires the authenticating user to interact with Microsoft SharePoint using an internet browser. The driver facilitates this in several ways as described below. Set your AuthScheme to AzureAD. The AzureAD flows described below assume that you have done so.

Your organization may require Admin Consent when authorizing a new AzureAD application for your Azure Tenant. In all AzureAD flows, any initial installation and use of an AzureAD application requires that an administrator approve the application for their Azure Tenant.

Desktop Applications

CData provides an embedded OAuth application that simplifies OAuth desktop authentication. Alternatively, you can create a custom AzureAD application. See Creating a Custom AzureAD App for information about creating custom applications and reasons for doing so.

For authentication, the only difference between the two methods is that you must set two additional connection properties when using custom AzureAD applications.

After setting the following connection properties, you are ready to connect:

  • InitiateOAuth: Set this to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
  • OAuthClientId: (custom applications only) Set this to the client Id in your application settings.
  • OAuthClientSecret: (custom applications only) Set this to the client secret in your application settings.
  • CallbackURL: Set this to the Redirect URL in your application settings.

When you connect the driver opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The driver then completes the OAuth process:

  1. Extracts the access token from the callback URL and authenticates requests.
  2. Obtains a new access token when the old one expires.
  3. Saves OAuth values in OAuthSettingsLocation. These stored values persist across connections.

Web Applications

When connecting via a Web application, you need to create and register a custom AzureAD application with Microsoft SharePoint. See Creating a Custom AzureAD App for more information about custom applications. You can then use the driver to acquire and manage the OAuth token values.

Get an OAuth Access Token

Set the following connection properties to obtain the OAuthAccessToken:

  • OAuthClientId: Set this to the client Id in your application settings.
  • OAuthClientSecret: Set this to the client secret in your application settings

Then call stored procedures to complete the OAuth exchange:

  1. Call the GetOAuthAuthorizationURL stored procedure. Set the CallbackURL input to the callback URL you specified in your application settings. If necessary, set the Scope parameter to request custom permissions.

    The stored procedure returns the URL to the OAuth endpoint.

  2. Open the URL, log in, and authorize the application. You are redirected back to the callback URL.
  3. Call the GetOAuthAccessToken stored procedure. Set the AuthMode input to WEB. Set the Verifier input to the "code" parameter in the query string of the callback URL. If necessary, set the Scope parameter to request custom permissions.

Once you have obtained the access and refresh tokens, you can connect to data and refresh the OAuth access token either automatically or manually.

Automatic Refresh of the OAuth Access Token

To have the driver automatically refresh the OAuth access token, set the following on the first data connection:

  • InitiateOAuth: Set this to REFRESH.
  • OAuthClientId: Set this to the client Id in your application settings.
  • OAuthClientSecret: Set this to the client secret in your application settings.
  • OAuthAccessToken: Set this to the access token returned by GetOAuthAccessToken.
  • OAuthRefreshToken: Set this to the refresh token returned by GetOAuthAccessToken.
  • OAuthSettingsLocation: Set this to the path where the driver saves the OAuth token values, which persist across connections.
On subsequent data connections, the values for OAuthAccessToken and OAuthRefreshToken are taken from OAuthSettingsLocation.

Manual Refresh of the OAuth Access Token

The only value needed to manually refresh the OAuth access token when connecting to data is the OAuth refresh token.

Use the RefreshOAuthAccessToken stored procedure to manually refresh the OAuthAccessToken after the ExpiresIn parameter value returned by GetOAuthAccessToken has elapsed, then set the following connection properties:

  • OAuthClientId: Set this to the client Id in your application settings.
  • OAuthClientSecret: Set this to the client secret in your application settings.

Then call RefreshOAuthAccessToken with OAuthRefreshToken set to the OAuth refresh token returned by GetOAuthAccessToken. After the new tokens have been retrieved, open a new connection by setting the OAuthAccessToken property to the value returned by RefreshOAuthAccessToken.

Finally, store the OAuth refresh token so that you can use it to manually refresh the OAuth access token after it has expired.

Headless Machines

To configure the driver to use OAuth with a user account on a headless machine, you need to authenticate on another device that has an internet browser.

  1. Choose one of these two options:

    • Option 1: Obtain the OAuthVerifier value as described in "Obtain and Exchange a Verifier Code" below.
    • Option 2: Install the driver on another machine and transfer the OAuth authentication values after you authenticate through the usual browser-based flow, as described in "Transfer OAuth Settings" below.

  2. Then configure the driver to automatically refresh the access token from the headless machine.

Option 1: Obtain and Exchange a Verifier Code

To obtain a verifier code, you must authenticate at the OAuth authorization URL.

Follow the steps below to authenticate from the machine with an internet browser and obtain the OAuthVerifier connection property.

  1. Choose one of these options:

    • If you are using the Embedded OAuth Application click Microsoft SharePoint OAuth endpoint to open the endpoint in your browser.
    • If you are using a custom OAuth application, create the Authorization URL by setting the following properties:
      • InitiateOAuth: Set to OFF.
      • OAuthClientId: Set to the client Id assigned when you registered your application.
      • OAuthClientSecret: Set to the client secret assigned when you registered your application.
      Then call the GetOAuthAuthorizationURL stored procedure with the appropriate CallbackURL. Open the URL returned by the stored procedure in a browser.

  2. Log in and grant permissions to the driver. You are then redirected to the callback URL, which contains the verifier code.
  3. Save the value of the verifier code. Later you will set this in the OAuthVerifier connection property.
Next, you need to exchange the OAuth verifier code for OAuth refresh and access tokens. Set the following properties:

On the headless machine, set the following connection properties to obtain the OAuth authentication values:

  • InitiateOAuth: Set this to REFRESH.
  • OAuthVerifier: Set this to the verifier code.
  • OAuthClientId: (custom applications only) Set this to the client Id in your custom OAuth application settings.
  • OAuthClientSecret: (custom applications only) Set this to the client secret in the custom OAuth application settings.
  • OAuthSettingsLocation: Set this to the path to the file where the driver saves the OAuth token values that persist across connections.

After the OAuth settings file is generated, you need to re-set the following properties to connect:

  • InitiateOAuth: Set this to REFRESH.
  • OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
  • OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
  • OAuthSettingsLocation: Set this to the file containing the encrypted OAuth authentication values. Make sure this file grants read and write permissions to the driver to enable the automatic refreshing of the access token.

Option 2: Transfer OAuth Settings

Prior to connecting on a headless machine, you need to create and install a connection with the driver on a device that supports an internet browser. Set the connection properties as described in "Desktop Applications" above.

After completing the instructions in "Desktop Applications", the resulting authentication values are encrypted and written to the path specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.

Once you have successfully tested the connection, copy the OAuth settings file to your headless machine.

On the headless machine, set the following connection properties to connect to data:

  • InitiateOAuth: Set this to REFRESH.
  • OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
  • OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
  • OAuthSettingsLocation: Set this to the path to your OAuth settings file. Make sure this file gives read and write permissions to the driver to enable the automatic refreshing of the access token.

Azure Password

To connect using your Azure credentials directly, specify the following connection properties:

  • AuthScheme: Set this to AzurePassword.
  • User: Set this to your user account you use to connect to Azure.
  • Password: Set this to the password you use to connect to Azure.
  • AzureTenant: Set this to the Directory (tenant) ID, found on the Overview page of the OAuth app used to authenticate to Microsoft SharePoint on Azure.

OAuth: Admin Consent

Admin consent refers to when the Admin for an Azure Active Directory tenant grants permissions to an application that requires an administrator in your organization to consent to the use case. The embedded application within the CData JDBC Driver for Microsoft SharePoint, contains no permissions that require administrator consent. Therefore, this information applies only to custom applications.

Administrator Consent Permissions

When creating a new OAuth application in the Azure Portal, you must specify which permissions the application requires. Some permissions may be marked with "Admin Consent Required". For example, all Groups permissions require Admin Consent. If your application requires admin consent, there are two ways you can do this.

The easiest way to grant admin consent is to have an administrator log into the Azure Portal and navigate to the application you have created in App Registrations. Under API Permissions, click Grant Consent, which grants permissions on the tenant under which it was created.

If your organization has multiple tenants or you need to grant application permissions for other tenants outside your organization, use the GetAdminConsentURL stored procedure to generate the Admin Authorization URL. After the OAuth application is successfully authorized, it returns a Boolean indicating that permissions have been granted.

After the administrator has approved the OAuth Application, you can continue to authenticate.

Credentials Using a Custom App

Follow the steps below to create a custom OAuth app and obtain the connection properties for the OAuth authentication using Sharepoint App.

Register Add-In

  1. Navigate to the Register Add-In page by entering the url as : https://{sitename}.SharePoint.com/_layouts/15/appregnew.aspx .
  2. In the "App Information" section, click Generate, which is located next to the Client Id and Client Secret textboxes to generate the respective values.
  3. Set Title, App Domain and Redirect URI by filling respective text boxes.
  4. Click Create, which registers the add-in and returns the success message with created information.
Grant Permissions to Add-In
  1. Navigate to the SharePoint site.
  2. Enter the URL: https://{sitename}.sharepoint.com/_layouts/15/appinv.aspx in the browser. This redirects to the Grant permission page.
  3. Enter the Client ID (which you generated earlier), in AppId and click Lookup button. That will populate the value to other textboxes in Title, App Domain and Redirect Url.
  4. Now enter the below permission request in XML format. 
        <AppPermissionRequests AllowAppOnlyPolicy="true">
     <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/>
    </AppPermissionRequests>
  5. When you click on Create you'll be presented with a permission consent dialog. Press Trust It to grant the permissions.

ADFS

Set the AuthScheme to ADFS. You need to set the following connection properties:

  • User: Set this to the ADFS user.
  • Password: Set this to ADFS password for the user.
  • SSODomain (optional): The domain configured with the ADFS identity provider.
Below is an example connection string: 
AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;URL='http://sharepointserver/mysite';

Okta

Set the AuthScheme to Okta. The following connection properties are used to connect to Okta:

  • User: Set this to the Okta user.
  • Password: Set this to Okta password for the user.
  • SSODomain (optional): The domain configured with the OKTA identity provider.

The following is an example connection string: 

AuthScheme=Okta;User=oktaUserName;Password=oktaPassword;URL='http://sharepointserver/mysite';

OneLogin

Set the AuthScheme to OneLogin. The following connection properties are used to connect to OneLogin:

  • User: Set this to the OneLogin user.
  • Password: Set this to OneLogin password for the user.
  • SSODomain (optional): The domain configured with the OneLogin identity provider.

The following is an example connection string: 

AuthScheme=OneLogin;User=OneLoginUserName;Password=OneLoginPassword;URL='http://sharepointserver/mysite';

PingFederate

Set the AuthScheme to PingFederate. The following connection properties are used to connect to PingFederate:

  • User: Set this to the PingFederate user.
  • Password: Set this to PingFederate password for the user.
  • SSODomain (optional): The domain configured with the PingFederate identity provider.

The following is an example connection string: 

AuthScheme=PingFederate;User=PingFederateUserName;Password=PingFederatePassword;URL='http://sharepointserver/mysite';

SharePointOAuth

Set the AuthScheme to SharePointOAuth. The following connection properties are used to connect to SharePointOAuth:

  • InitiateOAuth: Set this to GETANDREFRESH.
  • User: Set this to the SharePointOAuth user.
  • Password: Set this to SharePointOAuth password for the user.

The following is an example connection string: 

Schema=REST;InitiateOAuth=GETANDREFRESH;AuthScheme=SharepointOAuth;URL=https://rssbuscrm.sharepoint.com;User=SharePointUserName;Password=SharePointPassword;SharePointEdition='SharepointOnline';

OAuthJWT Certificate

Set the AuthScheme to OAUTHJWT. The following connection properties are used to connect to Microsoft SharePoint:

  • OAuthGrantType: Set this to CLIENT.
  • AzureTenant: Set this to the tenant you wish to connect to.
  • OAuthJWTCert: Set this to the JWT Certificate store.
  • OAuthJWTIssuer: Set this to the OAuth client Id.

MSI

If you are running Microsoft SharePoint on an Azure VM, you can leverage Managed Service Identity (MSI) credentials to connect:

  • AuthScheme: Set this to AzureMSI.

The MSI credentials are automatically obtained for authentication.

Authenticating to SharePoint On-Premises

Set SharePointEdition to "SharePoint On-Premises" to use the following authentication types.

Windows (NTLM)

This is the most common authentication type. As such, the driver is preconfigured to use NTLM as the default; simply set the Windows User and Password to connect.

Kerberos

Set the AuthScheme to NEGOTIATE. The following connection properties are used to connect with Kerberos:

  • KerberosKDC: Set this to the host name or IP Address of your Kerberos KDC machine.
  • KerberosRealm: Set this to the realm of the Microsoft SharePoint Kerberos principal. This is the value after the '@' symbol (for instance, EXAMPLE.COM) of the principal value (for instance, MyService/MyHost@EXAMPLE.COM).
  • KerberosSPN: Set this to the service and host of the Microsoft SharePoint Kerberos Principal. This is the value prior to the '@' symbol (for instance, MyService/MyHost) of the principal value (for instance, MyService/MyHost@EXAMPLE.COM).

Please see Using Kerberos for details on how to authenticate with Kerberos.

ADFS

Set the AuthScheme to ADFS. Then set the following connection properties:

  • User: Set this to the ADFS user.
  • Password: Set this to ADFS password for the user.
  • SSOLoginURL: Set this to the WS-trust endpoint of the ADFS server.
You also need the to set SSOProperties to authenticate to ADFS. Specify the value of the RelyingParty parameter; it is located on the ADFS server for Sharepoint. Below is an example connection string: 
AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;SSOLoginURL='https://<authority>/adfs/services/trust/2005/usernamemixed';SSO Properties ='RelyingParty=urn:sharepoint:sp2016;';

Anonymous Access

Set the AuthScheme to NONE along with the URL.

MSI

If you are running Microsoft SharePoint on an Azure VM, you can leverage Managed Service Identity (MSI) credentials to connect:

  • AuthScheme: Set this to AzureMSI.

The MSI credentials are automatically obtained for authentication.

Copyright (c) 2023 CData Software, Inc. - All rights reserved.
Build 22.0.8462