xPages xAgent Security

3
votes

I'm currently implementing the OpenNTF Multiple File Uploader by Mark Leusink.

This very nice custom control uses an xAgent to embed the selected file attachment into the target Notes document. Everything was working fine until I added Authors and Readers fields to the Notes documents. Now I'm getting a security error (402) when uploading the file.

My thought is the Upload xAgent can't edit the target document to attach the file. If I remove the security fields, everything works again.

My question is, do xAgents run with the same security as the current user? If not, can I set a "run as" user for the xAgent like I can for a Lotus Script agent?

3
xpages
Yes, all XPages run under the current user's permissions. Declan's suggestion allows you to mix and match: operations performed against objects obtained via sessionAsSigner use the signer's permissions; operations performed against all other objects use the current user's.Tim Tripcony

3 Answers

5
votes

I'd suggest that you look at the xAgent's code and rewrite it to use sessionAsSigner to access the database/document to upload the file. This will cause it to run as the signer of the application and bypass the security issues that your running into.

2
votes

Both Tom's and Declan's answers are correct, but this doesn't count for the file uploader.

It uses a Flash component to do the actual uploading (called SWFUpload). Since browser cookies aren't shared with Flash, it can't send along the user's session cookie with the file and therefore to the Domino server the user performing the upload is nog logged in (aka Anonymous). That's why the uploader requires anonymous users to be allowed to read/write public documents in the ACL and the XPage/ XAgent handling the uploaded files (aUpload.xsp) is set to allow "public access users". It uses the sessionAsSigner object to access the database's content

Normally, the above settings would allow everyone to anonymously upload files. That's why I implemented a custom authentication solution based on an idea by Mark Barton: before every file is uploaded, a request is made to an XPage to retrieve a unique key. That XPage (aGetAuth.xsp) does run under the user's credentials and stores the key in a document in the database. This key is send along with the uploaded file and compared with the stored key. The upload is only allowed if the keys match.

First thing I'd check in your case if the code in the aUpload.xsp XAgent can read and write the target document using the sessionAsSigner call.

0
votes

Mark, Declan, and Tim, thanks for jumping in.

I modified the xAgent **aGetAuth.xsp** to use sessionAsSigner to get the current database. At first I got the error "sessionAsSigner not found".

Google showed a quick answer was to re-sign the template before testing. After re-signing the template, twice, and preforming a "clean" everything works brilliantly.