Authenticating Domino REST Service Requests

2
votes

I have installed "Domino Sample REST Service Feature" from 901v00_11.20141217-1000 version of XPages Extension Library. OpenNtfSample service (com.ibm.domino.services.sample.service.SampleService) works as it should in general and the only problem with it that it completely ignores authentication settings of the server.

I have tried both Basic and Session Authentication as described in Authenticating Domino REST Service Requests and the result I get is the following - the service returns data always and does not ask for any user name and password.

The server is configured with Session Authentication now and I get password prompt when I try to access

{my_server}/api/data

but does not get it when I open

{my_server}/api/sample

After I had added this Web Site Rule

Description: DAS service Type of rule: Override Session Authentication Incoming URL pattern: /api/

the server changed password prompt for

{my_server}/api/data

but

{my_server}/api/sample

remained open.

Has anybody experienced this kind of error? Can anybody help me password protect this sample service so that I could start developing my own once based this example?

1
lotus-domino

1 Answers

0
votes

The /api/sample resource is wide open on purpose. That just returns a link to the contacts resource -- /xpagesext.nsf/api/sample/contacts.

If you really want to prevent anonymous access to the /api/sample resource, there are two possible solutions: 1) Disable anonymous access for all HTTP requests, or 2) Make a change to the RootResource class. The first solution is a server config change. I'm sure you can find details about that elsewhere. Since this is StackOverflow, I'll focus on the second solution.

As you have already noticed, we don't allow anonymous access to the /api/data resource. You can mimic that behavior in the /api/sample resource with a simple change to RootResource.getLinks(). Near the top of the method, just add these lines of code:

        boolean authenticated = false;
        Session session = ContextInfo.getUserSession();
        if ( session != null ) {
            String userName = session.getEffectiveUserName();
            if ( userName != null && !userName.equals("Anonymous")) {
                authenticated = true;
            }
        }

        if ( !authenticated ) {
            throw new NoAccessSignal("Need user context");
        }

By the way, you won't need to make the same change to the contacts resource class (ContactsListResource.java). Because the contacts resource URL includes a database name (xpagesext.nsf), the web server will attempt to open the database before forwarding the request to the REST service. You can prevent anonymous access to the contacts resource by changing the ACL of xpagesext.nsf. Just make sure the default access is "No access".