Using SSO with Domino Java Classes
As discussed in Chapter 9, "Accessing J2EE Elements from Domino," it's often useful to invoke Domino functions from J2EE
using Domino Java classes,
from servlets or JSPs. Here we discuss some points about using SSO in this context. Let's consider a servlet, which needs to present data from a Domino database, and we want the access to the database to be made under the same
authenticated for the servlet.
The Domino Java classes require a user
and credentials to be passed to the
method in order to establish the session under that user. Most commonly, the user name and its Internet password are passed as text strings to
. If basic authentication is being used to authenticate the servlet, we could extract the user name and password from the HTTP header. But if SSO is configured, there is an easier way. Fortunately, the
method also admits an LTPA token for the user name and credential data. We can simply find the
cookie in the HTTP header and pass its value, the LTPA token itself, to
. Using the LTPA token for the Domino session also allows the servlet to use either basic, form-based, or client certificate authentication interchangably.
Unfortunately, things are not quite so simple. If the servlet request itself triggers the authentication, the LTPA cookie is not passed to this initial servlet request and thus is not available to be passed to
. There are a couple of ways to work around this problem. One way is to detect the missing LTPA cookie and force the client to
the servlet request, this time with the LTPA cookie as part of the request, via the
method. Another way is to extract the user name and password from the authentication header and use these to establish the Domino session instead. (But this second technique works only if basic authentication is used). The following listing shows the code required to both obtain the LTPA cookie and extract the user name and password from an authentication header if necessary:
public void doGet( HttpServletRequest theReq, HttpServletResponse theResp )
throws ServletException, IOException
// See if LTPA token exists, if so we'll use it to identify/authenticate
// the user to Domino.
String aLTPAToken = null; String aUser = null; String aPass = null;
javax.Servlet.http.Cookie aReqCookies = theReq.getCookies();
if ( aReqCookies != null )
for ( int i = 0; i < aReqCookies.length; i++ )
javax.Servlet.http.Cookie aCookie = aReqCookies[i];
if ( aCookie.getName().equalsIgnoreCase( "LTPAToken" ) )
aLTPAToken = aCookie.getValue();
// If the LTPA token is not found, try and get the userid/password.
if ( aLTPAToken == null )
// Get the Authentication header if it exists, then the userid/pw.
if ( theReq.getAuthType().equalsIgnoreCase( "Basic" ) )
String aAuthStr = theReq.getHeader( "Authorization" );
// Auth header is "Basic <base-64 encoded 'userid:pw'>"
if ( aAuthStr != null )
sun.misc.BASE64Decoder aDecoder = new sun.misc.BASE64Decoder();
String aUserPw =
new String( aDecoder.decodeBuffer( aAuthStr.substring(6) ) );
int aSep = aUserPw.indexOf( ':' );
if ( aSep > 0 )
aUser = aUserPw.substring( 0, aSep );
aPass = aUserPw.substring( aSep+1 );
// Set up Domino session based on the LTPA or user/pw info above.
Session aSession = null;
if ( aLTPAToken == null )
aSession = NotesFactory.createSession( aHost, aUser, aPass );
aSession = NotesFactory.createSession( aHost, aLTPAToken );
catch ( Exception e )
System.out.println( "Create session error: " + e );