Oh security, why do you hate me?

While developing a work-around for the Flex sandbox restrictions that I mentioned yesterday, it seems that anonymous access to our sandpit Domino server has been blocked. It was purposefully more open than the general Dev environment to allow developers to experiment, so it's a little strange to be locking it down.

And of course I spent a decent amount of time trying to work out what was wrong with my app, before I realised that the server config had changed!

The block is an issue for me because I'm trying to programmatically access the server via HTTP, which I'll admit isn't particularly common in our environment. Actually, any internal HTTP access isn't common for Domino, programmatic or user driven.

One school of thought I'm sure is that any apps accessing a Notes server should authenticate, but this overlooks some aspects. Firstly, for some data you simply don't care who can see it. Secondly, it's non-trivial to authenticate with Domino, even assuming a Single Sign On solution has been implemented. Thirdly, some programmatic access does not have an associated 'real' user, so even if SSO is enabled and you've worked out how to authenticate, you don't have any credentials to authenticate with.

And lastly, for some applications, like mine, this doesn't reflect the production environment. If this app ever sees the light of day, it will be hosted on one of our externally facing servers where anonymous access is certainly enabled.

I'm sure there's solutions to these problems, and it's important for them to be worked through. Perhaps I should be developing in the gateway environment where the access setup should somewhat mirror production.

But, in my opinion, I shouldn't have to care about this in a sandpit environment. I want to be free to play around, quickly see what's possible technically, and worry about the important stuff like security if the project ever gets off the ground.

This leaves me with the pleasant job of reworking the design. I was planning on having the SWF and proxy/redirect servlet hosted on tomcat, and the config doc on Domino. This obviously fails because the proxy servlet has no way of authenticating with Domino. If I moved the SWF to be hosted on Domino it could access the config file OK, however I still wouldn't be able to embed the SWF in a local html file.

So to get around that I think I'll create a second Notes doc per graph that contains the HTML, then launch it. I'll still have to re-write the redirect code (to access the Excel2XML servlet).

On the up side, one of our Internet Services guys helped me get my head around the gateway architecture, and pointed me to the Dev and Test versions of the website which should help me get around my proxy authentication issues for the time being.

Lets hope tomorrow is better than today was.

comments powered by Disqus