So you want your Servlet to get an authenticated session from Domino

It seems a like a pretty fundamental question, in a running Servlet I want to access Domino resources that I have wisely protected using the the very fine security of IBM Notes and Domino.

I want the Servlet to be able to read and write data to Domino whilst keeping that data from the client that called the Servlet (or xAgent) and preventing the client from writing directly.

I’d be happy to be able to get a session that represented the signer of the application.  I can get a session for a registered user by calling the Servlet using ?open&login and signing in.  That’s not practical.

I’ve looked here: where Mark Leusink ( implies the use of ExtLib’s getCurrentSessionAsSigner() could be used.  I’ve tried it, having signed the whole application with a single user id and it doesn’t return a session.  The answer seems to lie in the Servlet’s inability to get a FacesContext object.

This feels like the answer should be obvious but it isn’t to me.

I’ve posted the same question over at StackOverflow…..


I need to thank Nathan Freeman once again.  It appears that a Servlet running inside an .NSF is subject to security constraints that do not allow new sessions to be created as user sessions.  This is fine if you are happy allowing anonymous access to databases or have a use care where the Servlet can be opened using a ?open&login url.  In many cases neither will be acceptable.  And that means you have to create the Servlet as an OSGi plugin.  More about that in later posts.

Posted in Uncategorized
2 comments on “So you want your Servlet to get an authenticated session from Domino
  1. Jeff B says:

    Crap, I just saw this post. Looks like a dead end.

    — Jeff

    • 8b30b0 says:

      Thanks for your comment and apologies for the delay in responding. I’ve used the in-nsf method of creating servlets quite a bit now. I blogged about them as I learnt about them. I’ve now replaced all of them with OSGI style servlets. The reasons are two fold, maybe threefold. Reliability, Authentication, and Ease of Development/Deployment.

      I think the benefit to at least starting with the in-nsf type is that it’s relatively easy to get started, and probably less moving parts to worry about. On top of that converting them to OSGI servlets is straightforward so you don’t have to throw your code away and start again.

      The good news is converting the servlets I created was easy (though in fairness I have been using WSAD and Eclipse for quite a while).

      When I get a minute I’ll add a huge disclaimer to the in-nsf Servlet blog posts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: