1

I have a servlet that mimics the Domino login form. Authentication is done against LDAP through Directory Assistance.

The server first checks if the password is expired. If it hasn't expired then it goes on to authenticate the user. The authenticate process then starts from the servlet, by sending HTML that mimics the default login page for Domino, the code is below. It is not very secure.

Is there a Domino method in Java that I can call to authenticate the user from my servlet?

I was thinking about doing a POST but not sure if that would be as secure.

Any ideas?

   private void logUserIntoNotes(HttpServletResponse response) throws IOException
   {
    String action = "/names.nsf?Login";

    System.out.println("Action=" + action);
    System.out.println("Username=" + username);
    //System.out.println("Password=" + password);
    System.out.println("RedirectTo=" + redirectTo);


    response.setContentType("text/html");

    ServletOutputStream out = response.getOutputStream();
    out.println("<html><head><title>Login Page</title></head><body>");
    out.println("Logging in. Please wait ...");
    out.println("<form method=\"post\" name=\"login\" action=\"" + action + "\">");
    out.println("<input type=\"hidden\" name=\"Username\" value=\"" + username + "\">");
    out.println("<input type=\"hidden\" name=\"Password\" value=\"" + password + "\">");
    out.println("<input type=\"hidden\" name=\"RedirectTo\" value=\"" + redirectTo + "\">");
    out.println("</form>");
    out.println("<SCRIPT LANGUAGE=\"JavaScript\"> document.forms[\"login\"].submit(); </SCRIPT>");
    out.println("</body></html>");
}
angryITguy
  • 9,332
  • 8
  • 54
  • 82
Bruce Stemplewski
  • 1,343
  • 1
  • 23
  • 66
  • Can you explain why you are doing this? Why don't users just log into the Domino server in the normal way? – Richard Schwartz Apr 25 '13 at 21:03
  • @Richard. A reasonable question, but once servlets are involved, anything can happen. – angryITguy Apr 26 '13 at 07:34
  • @Bruce, you say you check that the password has expired. This implies you're using some kind of authentication already. LTPAToken ? – angryITguy Apr 26 '13 at 07:37
  • Sorry for not getting back sooner. @Richard, the reason I am not just logging in is I first need to check if PW is expired. That is what the servlet is doing. Domino continues to log you in until all grace logins are expired. – Bruce Stemplewski Apr 29 '13 at 14:17
  • @giulo. Users are stored on an LDAP server. Users are being authenticatedin LDAP using Domino Directory Services. – Bruce Stemplewski Apr 29 '13 at 14:22
  • @Bruce I think the more "approved" way of doing things like this is with a DSAPI plugin written in C. – Richard Schwartz Apr 29 '13 at 15:33

1 Answers1

0

I'll start with the servlet. I think what you're looking for is createSession method in the servlet. It provides a number of ways to start a user authenticated session on the server. I use it all the time. Some more detail about Domino objects in Java that also covers authentication here. Even though it's a few years old, the Java API's are still relevant.

Quick code snippet that works in my servlets.

        NotesThread.sinitThread();
        try {
            session = NotesFactory.createSession("", sUsr, sPwd);
        } catch(NotesException ne) {
            // invalid username/password or something else horrible happened.
            NotesThread.stermThread();
            if (ne.id!=4486){
                System.out.println("Notes Error:" + ne.id);
                ne.printStackTrace();   
            }


        }

But your problem is that you need to send the credentials securely down the line to the server. You can use SSL, and then add HTTP header fields in the request at the browser, (SSL encrypts headers), and pull the values out in the servlet using HTTPServletRequest.getHeader. you don't need to copy the default Domino header names if you don't want to as you have a servlet processing the data. You can do anything you want and do not have to specifically need to duplicate the default login form in Domino.

Community
  • 1
  • 1
angryITguy
  • 9,332
  • 8
  • 54
  • 82