In the past I’ve created a number of tools that run on Domino servers, and a
few of them are CGI programs. I was reflecting today whether it is
possible for a Domino CGI program to perform basic HTTP authorization. A quick
search revealed that Domino has been able to do that for ages, with so-called
file protection documents. Nice and easy to set up. Assume I have the
folling CGI program, hello.c
:
#include
int main(int argc, char **argv, char **envp)
{
char **e;
printf("Content-type: text/plain\n\n");
printf("Hello JP\n");
for (e = envp; e && *e; e++) {
printf("%s\n", *e);
}
return 0;
}
I compile that into an executable program (on Unix/Linux that would be
hello
, whereas on Windows it’s called hello.exe
) and drop it into the
Domino server’s cgi-bin
directory (the default path is domino/cgi-bin
in
Domino’s data
directory). I then create said file protection document, which
looks like this: When a Web client (a browser or a
command-line tool) attempts to access my CGI program, the server requires
basic authorization. If the caller supplies correct credentials, my CGI
program is executed. The above program outputs its environment, which I’ve
truncated to include the bits I’m interested in showing you, only:
Hello JP
NOTES_BUILD_ID=Release 6.5.4|March 27, 2005
HTTP_AUTHORIZATION=Basic bWVucy5hOm5vb2RsZXM=
REQUEST_METHOD=GET
SERVER_PORT=80
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=Lotus-Domino
AUTH_TYPE=Basic
REMOTE_USER=CN=Alexandra Mens/O=fupps.com
AUTHENTICATED=YES
GATEWAY_INTERFACE=CGI/1.1
DOCUMENT_ROOT=C:/Lotus/Domino/Data/domino/html/
DOCUMENT_NAME=C:/Lotus/Domino/Data/domino/cgi-bin/hello.exe
DOCUMENT_URI=/cgi-bin/hello.exe
SCRIPT_NAME=/cgi-bin/hello.exe
Two things are interesting:
- Domino passes the
HTTP_AUTHORIZATION
header to my CGI program. From that, I can determine the password the user utilized, although that will typically not be required. (Oh, BTW, this is of course Domino’s Internet password, not that needed to decrypt the user’s ID file.) - Domino translates the authorized user into his or her distinguished name, and passes this in the environment as
REMOTE_USER
. This is very useful, because my program can easily find that DN in the Domino Directory for further processing.
I mentioned above, that the HTTP_AUTHORIZATION
contains the user’s
credentials. Let me show you: I’ll take the base-64-encoded value and decode
that:
$ echo 'bWVucy5hOm5vb2RsZXM=' | openssl enc -a -d
mens.a:noodles
Voila. Not magic. :-) Before you rely on Domino’s file permission documents for an Internet-facing Domino server, I recommend you thoroughly test your installation. The document Accessing and protecting the file system discusses more of what you should know. I personally would insist on using SSL/TLS and I’d probably place the Domino server behind a reverse proxy.