Authenticating users programmatically

Question

I have a servlet that mimics the Domino login form. Authentication is done against LDAP through Directory Assistance.

The server first checks if the password is expired. If it hasn't expired then it goes on to authenticate the user. The authenticate process then starts from the servlet, by sending HTML that mimics the default login page for Domino, the code is below. It is not very secure.

Is there a Domino method in Java that I can call to authenticate the user from my servlet?

I was thinking about doing a POST but not sure if that would be as secure.

Any ideas?

   private void logUserIntoNotes(HttpServletResponse response) throws IOException
   {
    String action = "/names.nsf?Login";

    System.out.println("Action=" + action);
    System.out.println("Username=" + username);
    //System.out.println("Password=" + password);
    System.out.println("RedirectTo=" + redirectTo);


    response.setContentType("text/html");

    ServletOutputStream out = response.getOutputStream();
    out.println("<html><head><title>Login Page</title></head><body>");
    out.println("Logging in. Please wait ...");
    out.println("<form method=\"post\" name=\"login\" action=\"" + action + "\">");
    out.println("<input type=\"hidden\" name=\"Username\" value=\"" + username + "\">");
    out.println("<input type=\"hidden\" name=\"Password\" value=\"" + password + "\">");
    out.println("<input type=\"hidden\" name=\"RedirectTo\" value=\"" + redirectTo + "\">");
    out.println("</form>");
    out.println("<SCRIPT LANGUAGE=\"JavaScript\"> document.forms[\"login\"].submit(); </SCRIPT>");
    out.println("</body></html>");
}

Answer 1

I'll start with the servlet. I think what you're looking for is createSession method in the servlet. It provides a number of ways to start a user authenticated session on the server. I use it all the time. Some more detail about Domino objects in Java that also covers authentication here . Even though it's a few years old, the Java API's are still relevant.

Quick code snippet that works in my servlets.

        NotesThread.sinitThread();
        try {
            session = NotesFactory.createSession("", sUsr, sPwd);
        } catch(NotesException ne) {
            // invalid username/password or something else horrible happened.
            NotesThread.stermThread();
            if (ne.id!=4486){
                System.out.println("Notes Error:" + ne.id);
                ne.printStackTrace();   
            }


        }

But your problem is that you need to send the credentials securely down the line to the server. You can use SSL, and then add HTTP header fields in the request at the browser , (SSL encrypts headers), and pull the values out in the servlet using HTTPServletRequest.getHeader . you don't need to copy the default Domino header names if you don't want to as you have a servlet processing the data. You can do anything you want and do not have to specifically need to duplicate the default login form in Domino.