Q

Using DSAPI for authentication

R5..the scenario follows:

A custom DSAPI filter has been written to authenticate users by encrypting a querystring or cookie value. As long as session authentication is turned off on the server, everything works fine. As soon as session authentication is turned on, the user is prompted to login with username and password. Is there a way to make session authentication "accept" a user that has been authenticated by a DSAPI filter?


Here is an answer to your question, courtesy of Daniel Nashed (http://www.nashcom.de)...

I have a coded test DSAPI filter here to simulate different kind of events and looked into some details. Some stuff was interesting to see because I never looked into this aspect before. DSAPI is a very strange beast and people have to be very carefully to use this for authentication. I hope the following answer gives the guy asking a basic idea of the solution.

Normally authenticating a user and having a session are two different things. When the user is not yet authenticated the DSAPI event to authenticate the user is called. If the user is already authenticated via DSAPI or via normal password in the authentication event the "found in cache" property normally returns true and you can leave the event. But this has nothing to do with session based or basic authentication. Even for session based authentication it can happen that found in cache is not true -- even you have a session cookie! That's interesting and I did not check this before.

For basic authentication you get the user/password unencrypted (only BASE64 coded) for each request. For session based authentication the user/password comes from the cookie. In both cases they can be used to re-authenticate the user via the filter in the authentication even if needed. So there is not much difference between basic authentication and session based authentication. It depends on the coding in the authentication event.

When you authenticate the user by reading a customized cookie or URL string Domino will still use the session cookie later on. If you don't use session based authentication you have to make sure that you have that cookie or URL string present for each request. For the customized cookie this is easy but for the URL you have to rewrite them for each request.

This stuff is quite complex and a more detailed answer would need a very detailed question. I hope this gives a basic idea what to check.


This was last published in January 2002

Dig Deeper on Lotus Notes Domino Administration Tools

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchDataCenter

SearchContentManagement

Close