Wilt u single sign on realiseren met behulp van servlets? Dan kunt u hiervoor gebruik maken van de servlet engine van Lotus Domino. In versie 5.* van Domino was deze servlet engine niet al te robuust. Er werd daarom vaak gebruik gemaakt van een andere servlet engine, zoals bijvoorbeeld Tomcat of WebSphere. In Lotus Domino versie 6.* is er op dit gebied veel verbeterd en is het gebruik van servlets in combinatie met deze versie stabiel en robuust gebleken.

Met de servlet engine van Lotus Domino kunt u single sign on realiseren tussen een Lotus Domino-omgeving en en een WebSphere-omgeving. Deze methode is gebaseerd op een session cookie die gedurende de gebruikerssessie op de machine van de gebruiker wordt geïnstalleerd. Deze specifieke cookie heet een LTPA cookie. Als een gebruiker zichzelf authentiseert op de Lotus Domino- of WebSphere-server dan krijgt hij een LTPA cookie en met deze cookie is hij dan ook automatisch geauthentiseerd voor de gelieerde omgeving.

Dit mechanisme kunnen we ook gebruiken voor het realiseren van single sign on in een Domino servlet omgeving.

Hieronder volgt een stappenplan.

1. server instellingen, de DIIOP taak
Op de Domino-webserver moet de DIIOP taak draaien. Deze taak zorgt ervoor dat er via een distributed methode, CORBA genaamd, gecommuniceerd kan worden vanuit een JAVA-omgeving met de Lotus Domino-server. Via deze communicatie kan de servlet een LTPA cookie opvragen aan de Dominoserver.

To set up the Domino ORB 1. Open the Server document you want to edit 2. Choose Ports - Internet Ports - DIIOP and complete these fields: Field Enter TCP/IP port number The name of the port the Domino IIOP task listens on. Do not change this port unless you have assigned port number 63148 (the default) to another task. Note The default on Linux servers is 60148 because of an operating system restriction. TCP/IP port status Choose one: Enabled (default) -- To allow communication over this port. Disabled -- To prevent communication over this port. 3. Choose Internet Protocols - DIIOP and complete this field: Field Enter Number of threads The number of threads you want to allow the DIIOP server task to process at the same time. The default is 10. 4. Click Security and complete these fields in the Programmability Restrictions section: Field Enter Run restricted Java/Javascript/COM The name that the applet or application uses to access the server. Applet or application names entered in this field are allowed to run programs created using a restricted set of Java and JavaScript features. If the applet or application logs on anonymously, enter the word "Anonymous" in this field. Run unrestricted Java/Javascript/COM The name that the applet or application uses to access the server. Applet or application names entered in this field are allowed to run programs created using all Java and JavaScript features. If the applet or application logs on anonymously, enter the word "Anonymous" in this field.

Om goed te kunnen werken met DIIOP moet op de Domino-server ook de HTTP-taak draaien. De reden hiervoor is dat de server een klein bestandje met een hash code naar de client stuurt. Deze zogenaamde ORB wordt via HTTP getransporteerd.

server-instellingen, LTPA setup
Vervolgens moeten we de server klaarmaken voor het gebruik van LTPA-tokens.

LTPA Token The Web SSO configuration document is a domain-wide configuration document stored in the Domino Directory. This document, which should be replicated to all servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for authenticating user credentials. To create a Web SSO configuration document if you are using Internet Sites You should have already created a Web Site document, and enabled the use of Internet Site documents in the Server document. Also be sure that your client location document has the home/mail server set to a server in the same domain as the servers participating in SSO. This ensures that all public keys for participating server can be found when the SSO document is encrypted. 1. In the Domino Administrator, click Files, and open the server’s Address Book (NAMES.NSF). 2. Select the Internet Sites view. 3. Click Create Web SSO Configuration. 4. In the document, click Keys. 5. Initialize the Web SSO Configuration with the shared secret key in one of two ways: Choose Domino only (no WebSphere servers participating in single sign-on), and then select "Create Domino SSO Key." Choose Domino and WebSphere (single sign-on with WebSphere), and then do the following Select "Import WebSphere LTPA Keys." Browse and select the WebSphere LTPA export file. (See WebSphere documentation for details about generating ltpatoken keys.) Enter the password (specified when generating the keys in WebSphere). The document is updated to reflect the information in the export file. 6. Complete the rest of the document as follows: Field Action Configuration Name Enter the name of the SSO configuration. Note If the single sign-on configuration includes both Domino 6 and Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x servers only work with this configuration name. Organization Name (Required) Enter the name of the organization. This must match the organization name for the corresponding Web site. The SSO document will then appear in the Internet sites view, along with the Web Sites documents. DNS Domain (Required) Enter the DNS domain (for example -- lotus.com) for which the tokens will be generated. The servers enabled for single sign-on must all belong to the same DNS domain. Domino Server Names Enter the names of the servers that will be participating in single sign-on (for example -- server1/acme, server2/acme). This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field. Groups, wildcards, and the names of WebSphere servers are not allowed in this field. Only Domino servers can be listed as participating servers in the Server Names field. Note There is a 64K-size limit on this field. An error message appears when the limit is reached, such as when the names of several hundreds of servers are entered. It is recommended that you create more than one Web SSO Document if this limit is reached. Expiration (minutes) Specify the time period, in minutes, for which the token will be valid. This time period begins at the time the token is issued. The token is valid for only the number of minutes specified; it does not expire based on inactivity. Default is 30 minutes. 7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Internet Sites view. To create a Web SSO configuration document if you are using the Web Server Configurations view Use this procedure to create a Web SSO configuration document if your server is a Release 5.0x server, or if you are using Domino 6 but you do not use Web Site documents to manage your Web sites. 1. In the Domino Administrator, click Files, and open the server’s Address Book (NAMES.NSF). 2. Select the Servers view. 3. Click Create Web SSO Configuration. 4. In the Web SSO Configuration document, click Keys. 5. Initialize the Web SSO Configuration with the shared secret key in one of two ways: Choose Domino only (no WebSphere servers participating in single sign-on), and then select "Create Domino SSO Key." Choose Domino and WebSphere (single sign-on with WebSphere), and then do the following: Select "Import WebSphere LTPA Keys." Browse and select the WebSphere LTPA export file. (See WebSphere documentation for details about generating ltpatoken keys.) Enter the password (specified when generating the keys in WebSphere). The document is updated to reflect the information in the export file. 6. Complete the rest of the document as follows: Field Action Configuration Name Enter the name of the SSO configuration. Note If the single sign-on configuration includes both Domino 6 and Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x servers only work with this configuration name. Organization Name Leave this field blank, and this document will appear in the Web Configurations view. DNS Domain (Required) Enter the DNS domain (for example, lotus.com) for which the tokens will be generated. The servers enabled for single sign-on must all belong to the same DNS domain. Domino Server Names Enter the names of the servers that will be participating in single sign-on (for example -- server1/acme, server2/acme). This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field. Note Groups, wildcards, and the names of WebSphere servers are not allowed in this field. Only Domino Servers can be listed as participating servers in the Server Names field. Expiration (minutes) Specify the time period, in minutes, for which the token will be valid. This time period begins at the time the token is issued. The token is valid for only the number of minutes specified; it does not expire based on inactivity. Default is 30 minutes. 7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Web Server Configurations view. Note If you receive messages on the client indicating that a particular key was not found for encrypting the document, you may have to change your client's location document to point to a different mail/directory server that will have all the public keys included in server and person documents.

Nu de server klaar is voor het gebruik van DIIOP en LTPA tokens kunt u de Java-code gaan schrijven die op de Domino server inlogt met de credentials van de webgebruiker, een LTPA cookie hierdoor verkrijgt, en deze vervolgens weer terugschrijft naar de client van de webgebruiker.

2. het maken van een inlogformulier
Om de webgebruiker de mogelijkheid te geven om zijn credentials (naam en wachtwoord) naar de servlet te sturen moet er een HTML-formulier worden gemaakt met daarin de volgende twee velden:

• Name
• Password
• RedirectTo ( met als waarde de url die de gebruiker op wil vragen )

De form tag van het formulier moet de volgende attributes bevatten:

• method met de waarde post
• action met de URL van de servlet.

3. het verkrijgen van de LTPA-cookie en deze doorgeven aan de client van de webgebruiker.
Nadat de servlet door het invoerformulier is aangeroepen kan de servlet inloggen op de Domino omgeving. Hieronder de voorbeeld code.

login code

/** * LtpaToken cookie stored in the web browser. This may be used to open a DIIOP connection to a Domino server. * */ public class LtpaToken { /** * Interface for reading cookie information in the web browser. */ public HttpServletRequest request; /** * Value of the LtpaToken. This may be used to open a DIIOP connection to the Domino server. * For example: NotesFactory.createSession(dominoServer, token) */ private String token; /** * If an error occurs, the error message text will be stored here. */ public String dominoErrorText; /** * If an error occurs, the error id will be stored here. */ public int dominoErrorID; /** * The name of the cookie is always "LtpaToken". LTPA is light-weight third party authentication. */ public static final String cookieNameLtpaToken = "LtpaToken"; /** * Create this object with a valid HttpServletRequest object. You may then reference the "token" property. * This is used to get an existing LtpaToken from the user's cookie. * * @param request HttpServletRequest */ public LtpaToken(HttpServletRequest request) { this.request = request; this.token = getCookieValue(cookieNameLtpaToken); } /** * Create a new LtpaToken. You may then reference "setCookie" to store a new cookie in user's HttpServletResponse. * HttpServletResponse will automatically store a new LtpaToken cookie in the user's web browser. * * @param dominoServer The host name and port address for connecting to the Domino server with DIIOP. * Example value: domino.acme.com:63148 * @param username The user's username. * @param password The user's password. */ public LtpaToken(String dominoServer, String username, String password) { //Check for empty username or password. if (username.equals("")) { dominoErrorID = NotesError.NOTES_ERR_INVALID_USERNAME; dominoErrorText = "Invalid user name/password"; return; } if (password.equals("")) { dominoErrorID = NotesError.NOTES_ERR_INVALID_USERNAME_PASSWD; dominoErrorText = "Invalid user name/password"; return; } //Open a session with the Domino server. DominoBridge dominoBridge = new DominoBridge(); dominoBridge.openDominoSession(dominoServer, username, password); //If a session was opened with the Domino server, then the LtpaToken can be generated. if (dominoBridge.isDominoSessionAvailable()) { try { token = dominoBridge.dominoSession.getSessionToken(); } catch (NotesException e) { } //Close the session with the Domino server. dominoBridge.closeDominoSession(); } else { dominoErrorID = dominoBridge.dominoErrorID; dominoErrorText = dominoBridge.dominoErrorText; } } /** * Find any cookie value from the browser. * * @param cookieName Name of the cookie. * @return The value of the cookie. */ private String getCookieValue(String cookieName) { Cookie[] cookies = null; try { cookies = request.getCookies(); if (cookies != null) { for (int iCookieCounter = 0; iCookieCounter < cookies.length; iCookieCounter++) { if (cookies[iCookieCounter].getName().toLowerCase().equals(cookieName.toLowerCase())) { return cookies[iCookieCounter].getValue(); } } } return null; } catch (Exception e) { return null; } } /** * Stores a new LtpaToken in the HttpServletResponse. * * @param response * @param ltpaTokenCookieDomain * @return true if a cookie was added to the HttpServletResponse, otherwise false. */ public boolean setCookie(HttpServletResponse response, String ltpaTokenCookieDomain) { if (token == null) { return false; } Cookie cookie = new Cookie(cookieNameLtpaToken, token); cookie.setDomain(ltpaTokenCookieDomain); cookie.setPath("/"); response.addCookie(cookie); return true; } /** * @return Text value of the LtpaToken. */ public String getTokenString() { return token; } /** * @return true if the LtpaToken cookie is valid, otherwise false. */ public boolean isValid() { if (token == null) { return false; } if (token.equals("")) { return false; } return true; } }

Via de bovenstaande methodiek is het mogelijk om single sign on te realiseren.