It seems a like a pretty fundamental question, in a running Servlet I want to access Domino resources that I have wisely protected using the the very fine security of IBM Notes and Domino.
I want the Servlet to be able to read and write data to Domino whilst keeping that data from the client that called the Servlet (or xAgent) and preventing the client from writing directly.
I’d be happy to be able to get a session that represented the signer of the application. I can get a session for a registered user by calling the Servlet using ?open&login and signing in. That’s not practical.
I’ve looked here: http://stackoverflow.com/questions/11401862/how-can-you-use-sessionassigner-in-a-java-bean-called-from-an-xpage where Mark Leusink (http://stackoverflow.com/users/1177870/mark-leusink) implies the use of ExtLib’s getCurrentSessionAsSigner() could be used. I’ve tried it, having signed the whole application with a single user id and it doesn’t return a session. The answer seems to lie in the Servlet’s inability to get a FacesContext object.
This feels like the answer should be obvious but it isn’t to me.
I’ve posted the same question over at StackOverflow…..
I need to thank Nathan Freeman once again. It appears that a Servlet running inside an .NSF is subject to security constraints that do not allow new sessions to be created as user sessions. This is fine if you are happy allowing anonymous access to databases or have a use care where the Servlet can be opened using a ?open&login url. In many cases neither will be acceptable. And that means you have to create the Servlet as an OSGi plugin. More about that in later posts.