In one of my previous posts, I mentioned about a way to authenticate user for a web application inside an iFrame in XPiNC page.
Now I found another solution for this. When a user clicks a link inside a Notes Client application, we may authenticate him on the web server application (either XPages or 'legacy' (!) web application)...
This is very important. Because for over 5 years I were searching for such a solution.
Normally, if you are using hybrid application scheme (that is your users are accessing both notes apps and web apps), they need to login to Domino Web server each time. Some companies have problems with password syncronization between Notes password and Internet password and this results in a serious headache!
I know what you think now. By the version 8.5.x, we have SSO with Active directory (SPNEGO). This is a solution. But here are two problems: You need to upgrade your server, configure SPNEGO and only Internet Explorer and certain Firefox versions will be able to use SPNEGO. In addition, some companies have multiple AD domains which makes SPNEGO implementation very difficult.
What may be the purpose of such a tool? One use may be your home page for Lotus Notes users. You may have a portal-like application, listing different applications that user may access. Some applications listed here may be web applications. You may have additional interfaces using XPages for your Notes applications (e.g. reporting) etc.
Before I explain the solution, I want to thank Tim Tripcony, because I am using his suggestion... In addition, I am assuming you have read the post above and skipping some technical details about SSO and LTPAToken concepts.
We first develop a redirector agent for general purposes. We may use a web agent (lotusscript) for this. I used an XPage for simplicity. It basically takes two parameters. 'token' parameter takes the hashed LTPAToken string and 'url' parameter is used for target url. Let's see what it does:
Here, be careful about the domain parameter at the cookie setting. We may lookup this from the server but there is no need to create a lookup cost, so type in manually...
Now, suppose we have an application and we need to send the user to a web application on the same server without login. I generated a form element and an agent to accomplish this. First, let me explain the agent.
We need to create a session token for this implementation. We will use "session.getSessionToken()" method for this. Unfortunately it is not provided in Lotusscript classes. So we will be using a Java agent for this. The code is here:
If doc.ErrorLog(0)="" Then Call ws.urlopen(targetUrl) Else Msgbox doc.ErrorLog(0) End If
Here '/test/redirect.nsf/redirect.xsp' is the xpages URI we created before. 'TestAuth' is the name of the Java agent.
This code can be placed inside a form for testing. You can modify this to use it on anywhere. For example a common method can be created inside a script library.
Now, before finishing, this code will not be running properly :) We should include some warnings...
First of all, no need to say that: You have to use it on multi-server SSO and your configuration should be working properly. This will work in 8.5.2. If you are using 8.5.1, 'RunWithDocumentContext' method does not exist. Alternatively you should use a real document (not an in-memory one) and pass it to the agent with NoteID. Remember you should delete the temporary document after you're done.
Another warning is about the bug. I cannot create a bug report yet but as I mentioned on the post above, there are important bugs in this 'getSessionToken' method.
1. If you are using Internet Site Documents, getSessionToken does not look up those. I have a workaround here, just duplicate your 'Web SSO Configuration' document and clear 'Organization' field on the second one. It seems crazy, but it works! It's important to duplicate it. Creating a second one from scratch will not work because it should contain the same keys...
2. This one is funnier. Your Web SSO configuration document should be named as LtpaToken... Yes you heard it. Using any other name will fail, because it looks up with this name :)
If you don't care these two bugs, you will end up with an error message: "Single Sign-On configuration is invalid" at the java agent.
One word for performance. This java agent is an expensive thing for Notes client. So if you are willing to use multiple times in a short period, you may use a caching algorithm. We don't want to make our users angry :)
Last word, during my tests, I saw 'Your session has expired' message. It was not so frequent, so I could not figure out why. That may be related with the token. Token should be properly encoded into the URL.
I don't know you, but this is a very important invention for me. I am so excited to share it. I hope it works...
Two critical HTTP problems in Domino 9...
Fri, Mar 29th 2013 6:48a Serdar Basegmez After I upgraded my servers to Domino 9, I have found two problems affecting HTTP task. 1. Redirect TCP to SSL problem... My HTTP task stopped responding just after the upgrade. When I look into thread logs I saw that it was redirecting every requests to the same URL! After a couple of tests, I found that if you have "Redirect TCP to SSL" checked in your Internet Site document, it fails with infinite redirection problem. I posted the issue into the N/D 9.0 Social Edition forum and [read] Keywords: administration
Happy Pi Day present: Pi Calculator for XPages...
DOTS Deep Dive 4: I can schedule myself...
Thu, Feb 21st 2013 5:20a Serdar Basegmez Finally, we will be able to enable FeedMonster for CollaborationToday project. While doing final touches, I have been challenged by a question: "Can we schedule DOTS tasklets programmatically?" Actually, this is in the wish list for the next version of DOTS. But we can do some trick here. I didn't test this on Domino 9 but it should work. Here is the code: package org.openntf.news.playground.tasklets; import org.eclipse.core.runtime.CoreException; import org.eclipse.core [read] Keywords: domino
DOTS Deep Dive 3: Warning for Deadlocks
Thu, Feb 14th 2013 7:03a Serdar Basegmez Last time, I have blogged about the importance of the importantance of canceling tasklets... In most of the time, canceling a task is a 'choice' you have. You might want to stop the task for a reason. However, a very important problem is falling into deadlocks. If somehow your code falls into a deadlock or stuck situation, that would lock your DOTS container entirely. DOTS uses a basic mechanism for identifying scheduled tasklets that are stuck. Every tasklet starts its life with a pre [read] Keywords: ibm
DOTS Deep Dive 2: Cancel me or I will crash your server...
Wed, Feb 13th 2013 3:53a Serdar Basegmez I just wanted to emphasize an important functionality within DOTS... One of our slides in the recent DOTS session in IBM Connect 2013, we have talked about the "monitor" argument in tasklets. It has two important uses. First of all, you might let DOTS container know about your progress. Second, it allows you to cancel your task in a less-disruptive manner. Let's dive into code here. Our tasklet is running every five seconds and wait 30 seconds each run: @RunEvery( every=5, [read] Keywords: domino
DOTS Deep Dive 1: Art of Scheduling Tasklets
Mon, Feb 11th 2013 4:02a Serdar Basegmez After a successful IBM Connect session, I started a series of posts, based on feedbacks I received from other developers. There was a little thing I didn't test before the session and this issue has been asked a couple of times: Possible conflicts between scheduled tasklets. Unfortunately, current implementation within DOTS is based on single threaded approach for tasklets. There are three different threads responsible in DOTS tasklet container for scheduled, manual and triggerred tasklet [read] Keywords: domino