Ask the Expert

How to permit Web app users with external certificates to submit if no anonymous access is permitted

In a Domino-based Web application, where users are authenticated to the system via an external certificate, how do we permit these users to perform submissions from the Web if anonymous access to the database is set to No Access? Authentication to the URL is secured by WebSEAL. In this case, is it safe to grant anonymous users Editor access in the database ACL?
Let me make sure I understand the setup here…Authentication to the Domino server is not handled by Domino itself. You are using the Tivoli Access Manager WebSEAL product to provide two-factor authentication for connection requests. So, by the time a user connects to Domino, they have already been authenticated to your overall network. Assuming this is correct, here is my take on it:

I guess you could set Anonymous=Editor. This would give anyone connecting to Domino Editor access, since he/she has already been authenticated by WebSEAL. The problem with this is that Domino never knows the identity of any user. So you cannot distinguish someone who should be Author from someone who should be Editor or Reader, etc. Also, Domino won't know the name of any user. (Your code could ask their names, but they could lie, since you are not authenticating their names.)

So, I guess your scheme is "secure" in the sense that only valid users can connect to the Domino server, and you want any such user to be Editor (or maybe Author). But you will have to think carefully about what you want the Domino application to do. Will it really work right if every user is Anonymous and cannot reliably be distinguished from every other user?

(If any other reader has experience with this setup, I would love to hear about it.)

This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: