Access Control
ClientProgramThe access level depends on the usage of createsession and the settings of the server/client. Access control is implemented in either of the following ways:
- Username and Internet password in the Domino Directory. This method can be used for both local and remote calls. For local calls, the access must be a Domino server.
- Current Notes ID (the ID specified by the keyfilename parameter in the notes. ini file)
This method can only be used for local calls. The program can be stored on either the Notes client or Domino server. Access through the Domino Directory
Using Domino
TheCodeIt is determined whether to access the service as an anonymous user or an existing user in the Domino Directory. In a notesfactory call, if only the host name is specified or an empty string is used as the user name and password, the server will be accessed as an anonymous user. For example:
Session S = notesfactory. createsession ("myhost.east.acme.com: 63148 ");
Or:
Session S = notesfactory. createsession ("myhost.east.acme.com: 63148 ","","");
To access the server as a domino user, you must specify the user name and Internet password in parameters 2 and 3 respectively. The username and password must match a personal document in the Domino Directory. For example:
Session S = notesfactory. createsession ("myhost.east.acme.com: 63148", "Jane Smith/East/Acme ",
"Tops3cr3t ");
When calling the Domino server locally, the host name should be blank: Session S = notesfactory. createsession ("", "Jane Smith/East/Acme", "tops3cr3t") to perform anonymous local calls, all three parameters should be blank:
Session S = notesfactory. createsession ("","","")
During local calling, the server does not have to run. The settings in the server documentation determine whether anonymous or user name/password access is allowed. In the server documentation, under the "Port"-"Internet port"-"diiop" label, the relationship between the verification option and the code is as follows:
The relationship between the verification option and the code is as follows ,"","")
Createsession (host, name, password) Anonymous must be set to "yes" to access the server name and password must be set to "yes" to access the server
For name and password verification, the name must be the user name in a personal document in the Domino Directory, And the password must be the Internet password in this personal document. The administrator can also set the "force use server access settings" option to "yes" to force diiop access to follow the "server access" setting under the security label of the server document.
The following fields in the server documentation can be used to control the security of Internet sessions. Essentially, the access permission for Internet sessions created by local or remote Java classes is equivalent to that for Web users.
The following fields in the server documentation can be used to control the security domain of Internet sessions. This indicates that users with access permissions to access the server remotely or locally must be listed in this domain to prohibit access to the server. If users are listed in this domain, no matter whether you are remotely or locally connected, you cannot create a database or template. You can use the background method to create a new database or template. Can you use the background method to create a duplicate database? Can you use the background method to create a master template? you can run restricted Java methods on the Domino server * in this field *. If the user used by the program is not listed in this domain, you cannot execute these methods on the Domino server, such as accessing the file system of the Domino server, however, you can still execute various methods on the computer where the program is located, including accessing the local file system. The signature will represent the proxy run by others as the proxy run by web users, run the signature as the user in the internet session, run the proxy run by the caller of the proxy as the proxy run by web users the user identity in the session runs Internet access Internet authentication restrictions which names can be used as user names to log on
* For restrictions on the methods, see "restricted Lotus script and Java agent operations" in Domino 6 designer help ".
In the server documentation, the fields in the diiop label under "Port"-"Internet port" are described as follows:
In the server documentation, "Port"-"Internet port", the domain description in the diiop label (tcpi/IP) name and password diiop authentication requires the user name and password (TCP/IP) anonymous diiop authentication does not require the user name and password (SSL) name and password diiop SSL authentication requires the user name and password (SSL) anonymous diiop SSL authentication does not require the user name and password to force the use of server access settings diiop whether to force the use of server access settings under the Security Label
The following notes. ini parameters also affect the security of Internet sessions established by remote or local Java classes:
Notes. the INI parameter also affects the security of Internet sessions established by remote or local Java classes. INI Setting Description: When noambiguouswebnames = 1, if the username used to log on to diiop has multiple matches in the $ users view, the login fails when webnameauthentic = 1, the username used to log on to diiop should be the user's full name nabweblookupview. If you set nabweblookupview = "XXX", Domino searches for the username used to log on in the "XXX" view of the Domino Directory.
Note: In the database access control table, the "Maximum permissions of Internet users" setting also affects the permissions of Internet sessions. The permissions of login users of diiop cannot exceed this setting.
The server refreshes the secure cache every 30 minutes. After modifying the Security Settings, you can use the console command "Tell diiop refresh" to force refresh.
Access through the Notes ID
To access the server using the current Notes ID, do not specify any parameters when calling:
Session S = notesfactory. createsession ()
In this case, if you need to verify (such as when you open the database), a dialog box is displayed, prompting you to enter the password for the Notes ID. The used Notes ID is specified by the keyfilename variable in the first notes. ini file that can be found in the search path. For example, if notes. ini contains the following parameters, the program uses Admin. ID to access the server:
Keyfilename = Admin. ID
You must enter the password for this ID or press "cancel" to continue the program. You can also specify the second parameter as "(string) null", and specify the password for this Notes ID in the third parameter:
Session S = notesfactory. createsession (string) null, (string) null, "tops3cr3t ")
On the server, the above method restricts access by the reader domain. To perform full access, you can use the following method:
Session S = notesfactory. createsessionwithfullaccess ()
Or
Session S = notesfactory. createsessionwithfullaccess ("tops3cr3t ")
Conclusion
Now you know the basic methods for using Java applications to locally call and remotely call Domino objects. For more complex access methods, such as SSL encryption, Servlet, connection pool, single logon, firewall, timeout control, resource recovery, and problem diagnosis, see the followingArticle:
Http://www-10.lotus.com/ldd/today.nsf/lookup/Java_access_2 (USA)