I am digging into XPage secrets. There is an XPage containing an IFRAME targeting a restricted resource fro the web server. It may be a view/page/form from another database or file resource under domino\html folder. No problem viewing this page from browser because you authenticate into web server and can see the resource.

But what about Notes client? From XPiNC, IFrame element calls for a basic web page and of course, it needs authentication!

Another application area of this problem is with client-sided AJAX routines. When you are authenticated with an XPage on Notes Client, a client side HTTPRequest will not be authenticated for another resource on the same server.

Any suggestions?

UPDATE:

After Tim's suggestions, I have found a solution and implemented. I also found a bug and solved :)

See the next post...

http://lotusnotus.com/lotusnotus_en.nsf/dx/http-authentication-from-xpinc-got-help-found-bug-worked-around.htm
Serdar Basegmez   |   August 25 2010 05:31:09 PM   |    Development  XPages    |  
  |   Next   |   Previous

Comments (3)

Gravatar Image
Serdar Basegmez    http://www.developi.com    08/27/2010 5:39:21 PM

@Jeremy, it is not working. XULRunner does not authenticate into web server :(

@Tim, thank you for your help. I've updated the post.

Gravatar Image
Tim Tripcony    http://xmage.gbs.com    08/25/2010 6:54:33 PM

If the iframe src isn't already computed, change it to be: if it's not XPiNC, just return the target location. Otherwise...

...call session.getSessionToken(targetServer), where targetServer is the Domino name of the server hosting the restricted resource. This will return a token that matches what Domino would have set the user's cookie to if they had manually logged in to that server from the web as the same user they're logged in as in Notes.

Next, create some intermediate page that has only one job: accepting the token and the real destination as query string parameters... this page reads both parameters, sets the user's cookie for them, then redirects them to the target page.

Now you can set the iframe's src to be the redirection page, passing it the correct parameters. When the iframe renders, the user will be logged in to the web server automatically, then redirected to the restricted resource.

Finally, the token would be a good candidate for storage in session scope; if they're navigating back and forth, there's no need to request a token every time the iframe is rendered.

Hope that helps...

Gravatar Image
Jeremy Hodge    http://www.hodgebloge.com    08/25/2010 6:28:39 PM

Do you have session authentication set up? If so, you should not have problems requesting resources from other notes apps as long as you have permission to use them...