Error when combining authenticated and anonymous access to one database - xpages

I have existing Xpages app for authenticated users only. Now I need to create a two new Xpages and allow annonymous access to them. To do this I added 'Read Public Access documents' do Anonymous user. Now I can see these 2 Xpages anonymously but sudenly existing non-anonymous part of application doesnt work anymore and app raises Dojo errors in browser as below. Scenario is like this:
Tested on Domino 9.01 and 9.0.1FP3 + Chrome with the same results
I open non-anonymous app in browser and authenticate, it works
correctly for now
from different browser I open the anonymous Xpage that works fine
also
now I refresh (F5 in browser) the non-anonymus app from point a) and it starts raise errors as below. I need to restart http to fix it.
I tested this scenario several times on my local and customers server with the same result. I found this http://www-01.ibm.com/support/docview.wss?uid=swg1LO76577 ... but is there any workaround for this scenario? Or how to combine anonymous and authenticated access in one app properly?
XHR finished loading: GET "http://localhost:8090/xsp/.ibmxspres/dojoroot-1.8.3/dojo/require.js"
XHR finished loading: GET "http://localhost:8090/xsp/.ibmxspres/dojoroot-1.8.3/ibm/xsp/widget/layout/layers/nls/xspClientDojo_cs.js".
dojo.js:15 Uncaught TypeError: Cannot read property 'dynamic' of undefined_bc # dojo.js:15_31 # dojo.js:15_f4 # dojo.js:15def # dojo.js:15(anonymous function) # xspClientDojo.js:5

That technote sounds wrong. I've had anonymous and authenticated access in an NSF running fine in production for many years, first deployed on 8.5.1.
My XPage is public access, but the custom control for the layout isn't.
I can't see how point 2 (another user opening on another browser) can impact it.
Based on the word "dynamic" in the error, do you have a dynamic content control in the relevant page? If you're on the same page when you authenticate, I would look at the code running after authentication and whether that changes JS variables or the component tree which means something is then not available to code running on load of the page.

Related

How to avoid running entire client-side process in Blazor WebAssembly before Azure AD authentication?

I'm building a Blazor WASM app with Azure AD, and I'm struggling with what appears to be an inefficiency in the way it's designed. The entire application, including the home page, needs to be secured by [Authorize]. It works (with one exception noted below), but the initial load is painfully slow. Basically, on reaching the home page, Blazor loads the entire application -- running Program.Main in it's entirety, loading JS files from CDN or webpack bundles, loading all the .NET dlls, and THEN decides that it needs to redirect to Azure to authenticate. Once it returns, it does all that again. Loading the various files is not too much of a problem, since it gets them from the browser cache the second time. The problem is that is also needs to run Program.Main again.
In my rather large client app, it takes a few seconds to configure all the services (I'm using a lot of gRPC). The biggest culprit though is a call to the server API to get certain app settings that I don't want to expose to the client (basically doing this). Moreover, that API call doesn't even succeed, since the API endpoint is secured, and the user hasn't authenticated yet, but I don't know how to get the user info from within Program.Main. The log messages show that the user identity is not even created until sometime after Program.Main completes. (One of the settings is the roles-to-permissions mapping, so I can't even draw the app's menu without it. I've resorted to removing the auth requirement from the API controller for now, obviously not a permanent fix)
To replicate the behavior, just create a brand new Blazor WebAssembly app, selecting Auth Type = Microsoft identity platform, and checking the ASP.NET Core hosted box. Then just edit both appsettings.json files to provide your Azure login info; change the requested scope in Client.Program.Main (and change the one in WeatherForecastController to match); and add [Authorize] to the _imports.razor file, and [AllowAnonymous] to Authentication.razor. Finally add some logging Console.WriteLine("Running in Client.Program.Main"); near the end of that method.
In the basic Blazor app template as described above, this all runs pretty fast. Once there's a significant amount of startup code in Program.Main, though, it becomes quite noticeable, it can be several seconds both before and after the login redirect. And I can't make an authenticated API call.
Specifying endpoints.MapFallbackToFile("index.html").RequireAuthorization(); in the server side Startup doesn't seem to make any difference. Neither does adding options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build(); to the AddAuthorization call.
So basically, I'm looking to:
Identify the user in Client.Program.Main, so I can make a secure call to the settings API
Identify the user in Client.Program.Main, so I can bypass all the time-consuming stuff myself on the first pass
Get Blazor (server?) to somehow recognize that a request for a protected page will fail for an unauthenticated user, and go directly to the Azure login page without all the usual ceremony
Any suggestions?

How to embed a web browser inside a web app made in node.js ?

I currently have a web app made in node.js. One feature of this app is to take notes. I want to provide the user with a way to browse the internet and select a text to add as a note in our web app without having to manually copy-pasting from one browser window to our app.
I know I can do this relatively simply using a Chrome extension that would be linked to the user account and would save the note to the database. However, I cannot use this approach since not all my users can install Google Chrome.
Therefore, I am looking for a way to browse the web from inside our web app. For example, it could be in an iFrame where we display a complete browser. That way, the user could navigate the web for information from inside the app, select text to save and click on a button (probably located outside the iFrame browser) to save the selected text as a note in our database.
How can I achieve such a thing in node.js ?
This is, essentially, impossible.
For you to get any data about the site the user was browsing you could either:
Restrict them to browsing sites willing to partner with you to give you permission to access their data via postMessage (a technical change on their part to work around the Same Origin Policy)
Proxy every request through your server which would:
Have large bandwidth requirements
Require a lot of rewriting of URLs (including dynamically generated ones in JS)
Require rewriting of X-Frames-Options and Access-Control-Allow-Origin headers
Need users who would trust you with all the data you passed through your system (including their passwords to third party sites)
Not work for Intranet sites (since your server could not reach them)

Unable to log in to Azure web app via VS2015 web performance test

How do I correctly handle the login/authentication scenario for an Azure web app in my VS2015 web performance test?
I created an XML file as a data source for the WAAD username and password. I bind the username and password to the Form Post Parameters: login and passwd respectively at request: https://login.microsoftonline.com/xxxx/login
But when I run the test, the Web Browser tab shows this error:
We can't sign you in
Your browser is currently set to block JavaScript. You need to allow
JavaScript to use this service.
To learn how to allow JavaScript or to find out whether your browser
supports JavaScript, check the online help in your web browser.
I also get a number of errors like this:
The value of the ExpectedResponseUrl property
Validation xxxx.azurewebsites.net/xxxx/docs/xxxx.aspx does
not equal the actual response URL
login.microsoftonline.com/xxxx/wsfed. QueryString
parameters were ignored.
Any idea how I can successfully log in to the Azure web app via the web performance test?
There are several methods of login and authentication that can be used. Just binding values to form post parameters may not be sufficient or correct. You will find the login form has hidden session identities that must be passed as well as the login data. I find that recording a test two times using as nearly as possible the same inputs and doing the same activities helps. These two tests can then be compared to find the dynamic data that needs to be handled.
In a comment the questioner added "I noticed these parameters, n1-43 are different but I have no idea what they represent. How do I handle them?". I can have no idea what they represent as I do not know the website you are testing. You could ask the website developers. Or, better, treat them as dynamic data. Find where the values come from, save them into context variables and use them as needed. This is basic web test development. Here and here are two good articles on what to do.
The message about JavaScript not being supported can be ignored. Visual Studio web tests do not support JavaScript or any other "active" parts of a web page, they only support the html part. Your job as a tester is to simulate what the JavaScript does for the specific user journeys you are testing. That simulation is generally just filling in the correct values (via context parameters) in the recorded requests.
Unexpected response urls can be due to earlier failures, such as teh login not working. I suggest not worrying about them until all of the other test problems are solved. Then, if you need help ask another new question.

Access a local IBM Notes application with default system browser

I am developping web applications using the Xpages framework from the IBM Lotus Notes technology.
My users don't use the embedded Notes Client browser, but use a regular modern browser (Firefox, Chrome) to browse Notes applications.
Everything is ok when the user has an internet connexion, he can access the application on the online server through his favorite browser.
However some of my applications need to be used Offline, in local. When a user works in local, he opens the IBM Notes Client, go to his workspace and click to open an application locally. Then, the Notes Client runs a http server on a random port and open the application with the embedded Notes Client browser.
What I want to achieve is to be able to open the application on a regular browser (Firefox, Chrome), by just using the default system browser and not the embedded Notes Client browser.
Here is what I tried without success :
With window.location.href I get the port where the local http server runs and the path to the page that is opened in the embedded Notes Client browser. I get this kind of result :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?OpenXPage&&xspRunningContext=Notes
So I just keep the interesting part :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp
Now I need to pass the session id has a parameter of this http request so the browser will have the right to access the application. I get the session ID with the following :
facesContext.getExternalContext().getRequest().getSession().getId()
From this I get an ID and I build my complete http request :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?SessionID=ID-fae7aca8f062023972fe35e5909b0106f44ba2ae
But when I try this into a regular browser, instead of getting the page I get an error 500. If I look at the log of the server, I see the following error message :
Exception Thrown
javax.servlet.ServletException: The request is not coming from a trusted Rich Client part
But I am sure my ID is correct. I tried to investigate this on the internet but no success for now, I would be happy if someone has an idea about what do I miss? Or maybe another way to open a local application in the default system browser?
Thank you!
In short, you can't. This is disabled by security restrictions.
But maybe you should think again about a XPiNC application: With 9.0.1, the underlying XULRunner component was upgraded and supports now HTML5 and a lot of the "newer" features.
It matches Firefox 10.0.6, here are the HTML5 test results:
https://html5test.com/s/555ae51ca555ac7b.html
The only reasonable action you have at you disposal is to install Domino designer on the clients. Then you get the nhttp task that serves to a standard browser (you might get away analysing what nhttp needs and only install that part).
The caveat there: the local nhttp does not support authentication. So you need to hack around it (e.g. copy data back and forth between the local NSF and the properly secured one).
Alternative you could try the approach I took with vert.x (should work with any Java container, but then you won't have any XPages, just raw Domino data.
Danielle pushed that forward with the Crossworlds Project - which might be what you need.
Stephan says it as it is: the way you are considering is just going to cause you huge headaches.
If offline capacity is a must, have you thought about creating a pure Notes-Client application? That would certainly be far easier.

XPages error when running in web browser and saving new document

So I've finally move my application from development(inaccessible through internet) server to production(accessible through internet) server and I got the following runtime error whenever I'm trying to save a document:
Error while executing JavaScript action expression
Script interpreter error, line=23, col=10: [TypeError] Exception occurred calling method NotesXspDocument.save() not allowed to access or modify file: C:\WINDOWS\TEMP\notesC053A6\xsppers\22\DHRRDLYBXJ
not allowed to access or modify file: C:\WINDOWS\TEMP\notesC053A6\xsppers\22\DHRRDLYBXJ
I've done some testing to see where this would occur and found that it only happen when running the application in a web browser (including the Notes 9 web browser) and creating a new document and saving it.
If I run the application via XPiNC, create a new document and save, I'm able to save the document. And this document can later be edited and saved whether in XPiNC or web browser.
I'm not aware of this problem because during development I usually only test in notes client. When it come to web browser, I'll just create a local copy to test because the development server does not allow access through web browser.
Is there any server setting that I should change? I'm not admin but I could inform my boss to change. Thanks.
EDIT
After further testing, I found that uploading a file could be causing the problem. My XPage has fileUpload control for user to upload attachment with the document. But since it worked on XPiNC I need to know why it doesn't work in web browser and the solution to this.
Check to see if the user running the service of the domino server has full access rights to the c:\windows\temp folder
If your server is running Windows 2008 and no specific user is added to run the service.
Make sure that both system and Services has full access to that folder.

Resources