sessionAsSignerWithFullAccess in XPiNC (ND9) - xpages

I needed to build an XPages to get the users' calendar entries for both public and private. And I could achieve this enhancement with using sessionAsSignerWithFullAccess in SSJS.
However my code doesn't work in XPiNC in Notes/Domino 9. It seems that sessionAsSignerWithFullAccess doesn't work as I expected and access only public documents.
Are there any way to resolve this issue?
Btw, I've also tried to call the Lotusscript agent in beforePageLoad, which is behalf of administrator and web access user, but no luck. Lotusscript also access only public documents.
Any suggestions would be very much appreciated!
Thank you in advance.

I believe it's the case that the sessionAsSigner sessions run as the current user when using XPiNC, rather than the signer of the XPage. Inconvenient as this is, it makes sense from a security perspective: while a Domino server has free reign to act as any name it likes, a Notes client acts solely as the active ID. Normal XPiNC setups run everything from the local client, so, from a security perspective, it's the same as accessing non-XPage elements.
You could double-check to see if my thinking is accurate by outputting sessionAsSignerWithFullAccess.getEffectiveUserName(). If I'm right, it will be the currently-running user, not the signer.
One way around it would be setting the XPiNC apps to execute on the server (new in 9, I believe). It has some caveats (https://frostillic.us/f.nsf/posts/how-i-got-xpinc-run-on-server-with-sso-working), but it has a lot of advantages both from a performance and a predictability perspective: since the app is actually running on the server in basically the same way as it would in a web browser, it (likely) also supports sessionAsSigner.

Related

Microfrontend or how to share smart UI components?

I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?

Lotus Notes XPage to display within Frameset

[Disclaimer: I am new to Notes, and am picking up a project that was started by someone else, so I'm not sure if this is the best approach, and with that out of the way ....]
We have a Notes 9.0 frameset, which is being driven by a couple of databases. There are 4 parts to the frame set, with the primary one being the selection of a client. This populates the second frame with their information, and the third frame with any related clients - such as business partners, associates, etc. The fourth frame would be any and all correspondence listed with the related clients (either one or many) which has been placed into an XPage. We cannot, though, load the XPage inside the frame, having tried multiple instances of .urlopen(XPage location) and trying to open the notes:// source, http:// source, and setting the target frame in both the inline URL and as a .SetTargetFrame("frame") fashion.
Is it possible to open an XPage from with a Frameset, or is there a better approach to this?
Thanks
Integrating or embedding XPages into a traditional Domino web application is a common approach and straightforward because it's the same protocol with the same authentication. Integrating XPages into a standard Notes Client design element is challenging for a variety of reasons, not just the URL required but also because authentication to the client is via Notes ID stored on the PC, authentication to the XPage is via HTTP protocol.
If you're wishing to display a list of the correspondence in a standard Notes frameset in the Notes Client, the approach I'd take is just to point to a View or embedded view set to a single category based on the client selected. If it's a server within a decent connectivity range, view performance will be better. If it's just a list, the data should be available for a view. If it's to navigate into the documents and you want to open the correspondence in an XPage, that's achievable from a view by setting the property on the Form to open in a specific XPage.
I'm not certain, but it sounds like your choice to use the XPage was because someone had already developed an XPage of that information for web access, possibly for the external clients themselves. While re-using the previous code may seem a good approach, the challenges of integrating one technology into another (as you see) counter the benefits.
This isn't about XPages itself, it's about embedding technologies that are not really designed for that level of integration. Similarly if the correspondence was an Angular front end using REST services to pull the information from Domino, you would have similar issues integrating it into the Notes Client application (authentication, running code on the client to run code on the server to get data for the client to process - when Notes is already designed for good nrpc communication).
There may be benefits in time of migrating all of the frameset to an XPages application or a specific set of use cases that won't require users switching between browser client and Notes Client. But if that's not the approach for now, integrating the XPage into the frameset is likely to be a challenge, no least in terms of look and feel, that may not result in a good user experience.
You can integrate an XPage into a Notes client, but it will require to learn about a number of moving parts. Instead of a Frameset you would use a composite application (same idea, more possibilities) and show various composites: Views, Forms, Pages, XPages, Navigators etc.
However you might consider reversing the process. When the XPages application in the browser works well, you could use the XPiNC feature (XPages in Notes Client) to show the same UI in the Notes client (presuming you have a current Notes version).
You will find some articles here: https://www-10.lotus.com/ldd/ddwiki.nsf/xpSearch.xsp?searchValue=%20XPages%20in%20the%20Notes%20client
My thought: what possibly makes you problems opening XPage in frameset (either with http:// or notes:// protocols) is incompatible browser (that one in client).
You can workaround this problem if you do not need all the bells & whistles of standard XPage - Dojo, events, themes...
So, what about making that XPage as simple as possible: make it stateless, disable Dojo, do not use any events (buttons, actions), in other words just plain HTML/CSS with no JS. That should work inside frameset. All the backend stuff - SSJS, datasources and so on is OK, of course.
Edit: another hint to make it work inside frame/internal browser. Sometimes XPage fails in XPiNC mode because of wrong datasource definition. When viewed from http of Domino server, all local databases are the server ones. But in XPiNC all local databases are treated as local replicas (usually nonexistent) and therefore fail to open. Possible solution:
run XPages from server (https://superuser.com/a/586602/17277)
redefine datasource: include server name in database property (hint: remember server!!database.nsf convention)
That's just a hint, I am not sure it will work for you.

What jar contains com.liferay.portal.security.permission.PermissionCheckerImpl in Liferay 6.1.2?

I am trying to follow http://liferaysatish.blogspot.de/2011/11/permissionchecker.html (which is basically a repost of another blog post).
I need to implement my own PermissionChecker to be able to support an SSO server (check if the user has been authenticated). However, there article mentions com.liferay.portal.security.permission.PermissionCheckerImpl, but there is no such class in whatever jars I was looking for it.
What I am trying to achive is to tie liferay's internal security to an external SSO Server (wso2). If there is another way to achieve this, I would love to try it.
I was trying with AdvancedPermissionChecker and SimplePermissionChecker, but I become endless redirects using them.
regards and thanks
Leon
I need to implement my own PermissionChecker
I don't believe so. At least you can make your life easier if you integrate your SSO just like any of the already integrated 6 (or so) SSO systems, authenticating the current user to Liferay and then leaving the actual permission check to Liferay.
SSO is typically used for making sure the user is who they are, then redirecting to the application they're providing their services to. If you want to maintain permissions externally to Liferay, you're best of to use an LDAP and group your users there. On the Liferay side, map those LDAP users/groups to Lifeary-usergroup-memberships. Provide the required permissions/memberships for those usergroups and you're set. Implementing your own permission checking (which will also be used internal to Liferay) is one of the least maintainable ideas that I've ever heard of.
I believe the latest Liferay does not have this file anymore. You should search for it in the 5.0 version. And the JAR itself is in \ROOT\WEB-INF\lib\portal-impl.jar
http://docs.liferay.com/portal/5.0/javadocs/portal-impl/com/liferay/portal/security/permission/PermissionCheckerImpl.java.html

Does someone know of 'iPaper-secure'-like service?

I've been using Scribd secure and their javascript/PHP api for few years. I've made a custom upload page where I upload books and automatically disable printing/downloading/copying, because this is what my client wants. Those books are then embedded into a page on my site.
I was never really satisfied with Scribd API and their 'iPaper secure' because it is not really secure but I wasn't able to find better solution for displaying documents to registered members while restricting save/copy/print. And Scribd developer support was very bad. But I lived with that.
Unfortunately, I just noticed that printing is no longer disabled on my 'secured' documents, because Scribd removed this option almost 3 years ago, without my knowledge :)
Please, does anybody know of any way for me to host books 'securely'?
Thanx in advance!
There are several PDF to html converters which would allow you to put the content on your site (with full control) or you could use something like PDF.js to display files.

sessionAsSigner returning "undefined"

I'm having a problem with the sessionAsSigner object: it returns "undefined" if one of the custom controls used on an XPage is signed by another user than the XPage. This is annoying (at the least) if you're working with multiple users on the same application.
Has anyone else experienced this? Or can anyone tell me if this is "by design"?
I have also experienced this.
My guess is that it is 'as designed' as the renderer would have no sure way to know who the signer actually is when presented with two or more signing signatures.
Best practice is to always sign the entire application before testing or pushing to production with a signing ID.
I've seen HTTP 500 errors with two signers. It is one of the reasons in my mind when looking at source control and working on a local server.
Equally I think there are problems with two Java classes that use sessionAsSigner. I've found that when I had that, things were fine for a while, but after about half an hour the server crashed. I couldn't see anything in the NSD logs to certainly point to that, but was able to reproduce it. And when I signed the database, I had no problems.

Resources