Q
Problem solve Get help with specific problems with your technologies, process and projects.

Preventing the servlet from accessing another client's data

I have developed a Domino Web application wherein a client can view statements and transactions online. After a client has registered with the site they can log into the application and are taken to a "portal" page from which they can select a link to view either their statement or transactions. Clicking on one of these links calls one of two servlets, which accesses either a summary or transaction Notes database respectively. The servlet extracts the required data from the database and dynamically produces the statement or transaction summary in the browser.

My problem is during testing I discovered if I changed the client code that is a parameter sent to the servlet then the the servlet happily serves up another client's data. How can I prevent the servlet from accessing another client's data once it has been initially called from within the application by a client?

This has been my first foray into Java programming on Domino and I'm not sure how to proceed with this. My thought has been to set a readers field on the respective summary and transaction forms and somehow get the servlet to assume the client identity. Any light you can shed on this problem would be greatly appreciated. Thanks for your time.
Ouch. You have found a problem with servlets. The servlet "is" the server and there is no way of changing this. If you had an agent and had it "Run agent as Web user", you could use Domino reader names and other security mechanisms. But you probably chose servlets to get performance. Here's an idea, but it is not "real" secure. Look at the @password @function. I have posted a tip that describes what you can do using this @function: https://searchdomino.techtarget.com/tip/Creating-good-URL-keys

Basically you could scramble the key ? that is the user name ? using @password. You do this using @password both in the request URL and in the document(s) that you need to retrieve.

The problem is that this is still not secure. Someone could start guessing the scrambled keys. There is no way of figuring out what the scrambled version of a certain name would look like, but if you are determined to retrieve sensitive data you could run through all the possible keys.

Dig Deeper on Domino Resources - Part 5

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchDataCenter

SearchContentManagement

Close