In the past I've created a number of tools that run on Domino servers, and a few of them are CGI programs. I was reflecting today whether it is possible for a Domino CGI program to perform basic HTTP authorization. A quick search revealed that Domino has been able to do that for ages, with so-called file protection documents. Nice and easy to set up. Assume I have the folling CGI program, hello.c:

#include 

int main(int argc, char **argv, char **envp)
{
    char **e;

    printf("Content-type: text/plain\n\n");

    printf("Hello JP\n");
    for (e = envp; e && *e; e++) {
        printf("%s\n", *e);
    }
    return 0;
}

I compile that into an executable program (on Unix/Linux that would be hello, whereas on Windows it's called hello.exe) and drop it into the Domino server's cgi-bin directory (the default path is domino/cgi-bin in Domino's data directory). I then create said file protection document, which looks like this: domino-file-prot When a Web client (a browser or a command-line tool) attempts to access my CGI program, the server requires basic authorization. If the caller supplies correct credentials, my CGI program is executed. The above program outputs its environment, which I've truncated to include the bits I'm interested in showing you, only:

Hello JP
NOTES_BUILD_ID=Release 6.5.4|March 27, 2005             
HTTP_AUTHORIZATION=Basic bWVucy5hOm5vb2RsZXM=
REQUEST_METHOD=GET
SERVER_PORT=80
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=Lotus-Domino
AUTH_TYPE=Basic
REMOTE_USER=CN=Alexandra Mens/O=fupps.com
AUTHENTICATED=YES
GATEWAY_INTERFACE=CGI/1.1
DOCUMENT_ROOT=C:/Lotus/Domino/Data/domino/html/
DOCUMENT_NAME=C:/Lotus/Domino/Data/domino/cgi-bin/hello.exe
DOCUMENT_URI=/cgi-bin/hello.exe
SCRIPT_NAME=/cgi-bin/hello.exe

Two things are interesting:

  • Domino passes the HTTP_AUTHORIZATION header to my CGI program. From that, I can determine the password the user utilized, although that will typically not be required. (Oh, BTW, this is of course Domino's Internet password, not that needed to decrypt the user's ID file.)
  • Domino translates the authorized user into his or her distinguished name, and passes this in the environment as REMOTE_USER. This is very useful, because my program can easily find that DN in the Domino Directory for further processing.

I mentioned above, that the HTTP_AUTHORIZATION contains the user's credentials. Let me show you: I'll take the base-64-encoded value and decode that:

$ echo 'bWVucy5hOm5vb2RsZXM='  | openssl enc -a -d
mens.a:noodles

Voila. Not magic. :-) Before you rely on Domino's file permission documents for an Internet-facing Domino server, I recommend you thoroughly test your installation. The document Accessing and protecting the file system discusses more of what you should know. I personally would insist on using SSL/TLS and I'd probably place the Domino server behind a reverse proxy.

Flattr this
DomiNotes and Security :: 23 Jan 2009 :: e-mail

Comments

blog comments powered by Disqus