I want my Domino Servlet to get an authenticated user session

Question

It seems a like a pretty fundamental question, in a running Servlet hosted on Domino I want to access Domino resources that I have wisely protected using the the very fine security of IBM Notes and Domino.

I want the Servlet to be able to read and write data to Domino whilst keeping that data from the client that called the Servlet (or xAgent) and preventing the client from writing directly.

I'd be happy to be able to get a session that represented the signer of the application. I can get a session for a registered user by calling the Servlet using ?open&login and signing in. That's not practical.

I've looked here: How can you use SessionAsSigner in a Java Bean called from an XPage? where Mark Leusink (https://stackoverflow.com/users/1177870/mark-leusink) implies the use of ExtLib's getCurrentSessionAsSigner() could be used. I've tried it, having signed the whole application with a single user id and it doesn't return a session. The answer seems to lie in the Servlet's inability to get a FacesContext object.

This feels like the answer should be obvious but it isn't to me. Any ideas?

Panu Haaramo · Answer 1 · 2013-02-08T11:56:04.573

2

FacesContext is JSF stuff and can be used from XAgent (=XPage).

In a servlet you can do this:

Session session = NotesFactory.createSession(null, "user", "password");

Server ID usually has no password and doing this will use the server ID:

Session session = NotesFactory.createSession();

edited Feb 08 '13 at 11:56

answered Feb 08 '13 at 11:50

Panu Haaramo

2,932
19
41

Thank you for the suggestion. I'd considered NotesFactory which would require me to set up DIIOP which feels a bit old fashioned (I haven't got an evidence for that it's just been around a while and I'm not sure how widely it's used). I might have to try it and see if it causes any issues. Thanks again :-) – Jason Hook Feb 08 '13 at 13:22
Would you need DIIOP if its the same machine - I thought DIIOP was only for remote access – markbarton Feb 08 '13 at 13:47
@JasonHook You don't need CORBA/IIOP if you are running your code on Domino server. – Panu Haaramo Feb 08 '13 at 14:41

score 2 · Answer 2 · answered Feb 08 '13 at 16:10

2

Check the source of the WebDav project on OpenNTF. It has all the code you need

answered Feb 08 '13 at 16:10

stwissel

20,110
6
54
101

score 1 · Answer 3 · answered Feb 11 '13 at 16:03

There have been lots of good answers to the original question. Thanks very much.

The solution I propose to use is to port the code I have to OSGi plugins. It appears that java code/Servlets within the NSF context are subject to security controls that are relaxed when the same code runs within the OSGi context. The code:

try {
NotesThread.sinitThread();
Session s = NotesFactory.createSession("","<my username>","<my password>");
.....
session = null;
} catch (Exception e) {
} finally {
NotesThread.stermThread();
}

Runs fine in the OSGI context, but within in an NSF produc

score 0 · Answer 4 · answered Feb 08 '13 at 12:04

0

com.ibm.domino.osgi.core.context.ContextInfo.getUserSession()

answered Feb 08 '13 at 12:04

Niklas Heidloff

952
6
13

1

I imported the jars into my project, Servlet compiles fine & used the getUserSession() func to print the effectiveUserName & this provokes a java.lang.NoClassDefFoundError: com.ibm.designer.domino.napi.NotesAPIException. – Jason Hook Feb 08 '13 at 14:00
1

Error Msg is replaced by another error if I put the enclosing package in the /jvm/lib/ext dir, seems to indicate that the err caused by not resolving the Exception class after it's thrown the error :-) Should be deploying the Servlet as an OSGi plugin? The function takes no parameters I'm guessing it either assumes the user has authenticated already/returns anonymous/signer of the Servlet/Application? – Jason Hook Feb 08 '13 at 14:00
see http://www.openntf.org/internal/home.nsf/project.xsp?action=openDocument&name=Servlet%20Sample http://www.openntf.org/internal/home.nsf/project.xsp?action=openDocument&name=MailerServlet http://www.youtube.com/watch?feature=player_embedded&v=J84dAECKots – Niklas Heidloff Feb 08 '13 at 15:07

score 0 · Answer 5 · answered Feb 08 '13 at 14:07

Jason - I assume you basically want the same functionality you would get running a Web Query Save agent if you didn't select run as Web User selected, in other words as the signer of the code.

You could try setting up a internet site rule to allow basic authentication for the specific application path you wanted to use - might be worth using a subdomain for this.

Then within the Servlet call this URL, whilst setting the Basic authorization parameters (username & password).

Something like this.

URL url = new URL(URL_TO_CALL);
String authStr = "USERNAME:PASSWORD";
String authEncoded = Base64.encodeBytes(authStr.getBytes());
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setDoOutput(true);
connection.setRequestProperty("Authorization", "Basic " + authEncoded);
InputStream is = connection.getInputStream();

I want my Domino Servlet to get an authenticated user session

5 Answers5

Linked