wissel.net

Usability - Productivity - Business - The web - Singapore & Twins

Don't try this at home!


Domino has a refined security system, so the java.policy file can be a real PITA. So you would be tempted to write a few lines of LotusScript and run it on a scheduled agent, so on the next server restart that pain goes away. Of course you wouldn't write code like below which lacks any error handling.You also would not hide this code from your admin people who would want an impact study and your firstborn for any change they make. So instead of doing all this you wait until there is a proper configuration setting for this.
OptionPublic
OptionDeclare

Sub Initialize
    Dim s AsNewNotesSession
    Dim inikey AsString
    Dim secFileName AsString
    Dim stream AsNotesStream
    Dim policy AsString
   
    Dim beginString AsString
    Dim endString AsString
    Dim permission AsString
   
    Dim beginPos AsInteger
    Dim endPos AsInteger
   
    inikey = "NotesProgram"
    beginString = "grant {"
    endString = "}"
    secFileName = s. Getenvironmentstring(iniKey, true)
    secFileName = secFileName + "jvm/lib/security/java.policy"
    permission = "permission java.security.AllPermission;"
    Set stream = s. Createstream()
    Call stream. Open(secFileName )
   
    policy = stream. Readtext()
   
    beginPos = InStr(policy,beginString )
    If beginPos < 1Then
        'We don't have any so we abort
        Exitsub
    EndIf
   
    Dim firstCut AsString
    firstCut = Mid$(policy,beginPos )
    endPos = InStr(firstCut,endString )
   
    If endPos < 1Then
        'The file is borked
        ExitSub
    EndIf
   
    Dim allGrant AsString
    allGrant = Mid$(firstCut, 1,endPos )
   
    'Now the check
    IfInStr(allGrant,permission ) < 1Then
        'We need to update the file
        Call stream. Truncate()
        Call stream. Writetext(Mid$(policy, 1,beginPos+ 7), EOL_NONE )
        Call stream. Writetext(permission, EOL_PLATFORM )
        Call stream. Writetext(Mid$(policy,beginPos+ 7), EOL_NONE )
    EndIf
   
    Call stream. Close()
EndSub
As usual YMMV
Update: Going after java.pol requires a slightly different approach:
OptionPublic
OptionDeclare

Sub Initialize
Dim s AsNewNotesSession
Dim inikey AsString
Dim secFileName AsString
Dim stream AsNotesStream
Dim policy AsString

Dim beginString AsString
Dim endString AsString
Dim permission AsString

Dim beginPos AsInteger
Dim endPos AsInteger

inikey = "NotesProgram"
beginString = "grant {"
endString = "}"
secFileName = s. Getenvironmentstring(iniKey, true)
secFileName = secFileName + "jvm/lib/security/java.pol"
permission = "permission java.security.AllPermission;"
Set stream = s. Createstream()

'Open or create the file
Call stream. Open(secFileName )

'A new file would be IsEOS
If stream. IseosThen
Call stream. Writetext(beginString, EOL_PLATFORM )
Call stream. Writetext(permission, EOL_PLATFORM )
Call stream. Writetext(endString, EOL_PLATFORM )
Call stream. Close()
ExitSub
EndIf

'Read the entire file in one go
policy = stream. Readtext()

beginPos = InStr(policy,beginString )
If beginPos < 1Then
'We don't have any general grant statement, so we need to add it
Call stream. Writetext("", EOL_PLATFORM )'One new line
Call stream. Writetext(beginString, EOL_PLATFORM )
Call stream. Writetext(permission, EOL_PLATFORM )
Call stream. Writetext(endString, EOL_PLATFORM )
Call stream. Close()
Exitsub
EndIf

Dim firstCut AsString
firstCut = Mid$(policy,beginPos )
endPos = InStr(firstCut,endString )

If endPos < 1Then
'The file is borked, we won't touch it!
ExitSub
EndIf

Dim allGrant AsString
allGrant = Mid$(firstCut, 1,endPos )

'Now the check
IfInStr(allGrant,permission ) < 1Then
'We need to update the file
Call stream. Truncate()
Call stream. Writetext(Mid$(policy, 1,beginPos+ 7), EOL_NONE )
Call stream. Writetext(permission, EOL_PLATFORM )
Call stream. Writetext(Mid$(policy,beginPos+ 7), EOL_NONE )
EndIf

Call stream. Close()
EndSub

Posted by on 21 May 2013 | Comments (10) | categories: XPages

Comments

  1. posted by Giulio Campobassi on Wednesday 22 May 2013 AD:
    I think this would fall under the category of "trust me, it's hacking for the greater good"
  2. posted by Declan Lynch on Wednesday 22 May 2013 AD:
    And the good admins would have an ECL set on the server which would forbid file system changes. Emoticon biggrin.gif
  3. posted by urs meli on Wednesday 22 May 2013 AD:
    Good admins would do the change to keep their devs happy
  4. posted by Karsten Lehmann on Wednesday 22 May 2013 AD:
    I don't see a reason for this, as long as I can deploy OSGi plugins on the server. Emoticon wink.gif
  5. posted by Thomas Hampel on Wednesday 22 May 2013 AD:
    Good admins cooperate with developers by sharing the code above, by maintaining a common documentation, and exploring the platform capabilities together! Admins and developers have a joint mission and therefore must be best friends! Hint: if thats not the case yet, invite him/her for a drink!
  6. posted by Chris Miller on Wednesday 22 May 2013 AD:
    Good admins say we can't read this code and deny it will even work Emoticon biggrin.gif
  7. posted by Simon O'Doherty on Wednesday 22 May 2013 AD:
    A good example of why you never give the developers any ability to run code on production servers. Emoticon smile.gif

    Change requests and ECL control under Admin's thumb!
  8. posted by Peter Presnell on Wednesday 22 May 2013 AD:
    For an example coded in LotusScript I am surprised the accompanying text wasn't written in Latin. Emoticon tongue.gif
  9. posted by John Dalsgaard on Wednesday 22 May 2013 AD:
    Well, you could talk to your admin once (the first time) and then agree upon the need for an adjustment.

    However, instead of changing the java.policy file I suggest you create a file named "java.pol" in the same directory and make your changes there. Changes in this file are not overwritten by updates to Notes/Domino.

    You can see the configuration of the usage of java.pol in the file java.security Emoticon wink.gif
  10. posted by Stephan H. Wissel on Wednesday 22 May 2013 AD:
    @Karsten: deploying OSGi plugins requires setting a Notes.ini variable - big battle already Emoticon smile.gif, but I agree

    @Chris: they wont' see that code, since you wouldn't hide somewhere inside an innocent function (or even in a lss where you didn't provide the source)

    @All: "Good admins" are characters found where you also find toothferries and unicorns (except Paul of course)
  11. posted by Karsten Lehmann on Wednesday 22 May 2013 AD:
    @Stephan:
    Right, but that Notes.ini variable only has to be set once. For a customer, we have developed some code (LotusScript BTW) that runs when you open the nsf via url /path/to/db.nsf and that checks if all required plugins are deployed and running on the server.
    If not, we display an info message with a button to copy the missing pieces from the app's design into the update site nsf (and create it if missing).
    Now we check if that Notes.ini variable is set. If not, we display another info message for the admin.
    Finally, we try to call an XPage via xhr. If that fails, we display another button, that everything seems to be installed, but http task needs to be restarted.
    If everything is ok, we redirect to the XPages app. Emoticon smile.gif
  12. posted by Nathan T. Freeman on Thursday 23 May 2013 AD:
    @John THANK YOU!!! That's a hot tip!
  13. posted by John Dalsgaard on Thursday 23 May 2013 AD:
    @Nathan - You're welcome Emoticon wink.gif
  14. posted by liliakress on Monday 12 August 2013 AD:
    Hello, this is a really fas­ci­nat­ing web blog and I have loved read­ing sev­eral of the arti­cles and posts con­tained upon the site, sus­tain the great work and hope to read a lot more excit­ing arti­cles in the time to come. Thank you so much.

  15. posted by Marco Wertel on Wednesday 18 February 2015 AD:
    @Karsten: Can you share some code pieces with us to check if all necessary stuff for the XPages application is available? Highly interested in that. Thank you.
  16. posted by Karsten Lehmann on Monday 23 February 2015 AD:
    @Marco: I can't share the exact code. Maybe I can find the time to blog about the idea and provide a small sample, but I am very busy at the moment.
    The general idea is to set the DB launch options to a page or frameset and do the check in LotusScript, e.g. as WebQueryOpen agent.

    You first check for the OSGI_HTTP_DYNAMIC_BUNDLES Notes.ini variable. If it is missing, you can either tell the user to let the admin add it and restart the server or you can just add the variable to the server's configuration document yourself (your NSF needs to be signed with a server or admin ID to do this).

    Next you read the content of -dominodata-/data/domino/workspace/.config/org.eclipse.update/platform.xml and search for the required Eclipse features.
    If they are missing, you can check if they are already stored in the update site NSF. If not, you can add them in your code (we store the plugin/feature document as design elemente in the DB design for this purpose) or let the admin do it. If they are in the update site, the HTTP task has not been restarted since adding them.

    I hope you get the idea. There are a lot of different error states to cover to do this properly.

    We asked IBM twice in the last 3 years to just open a classic form if plugins are missing, similar to the general error pages for classic web development in Domino and add some information to it so that our code can either display a proper error message, but it's not in the product yet. Looks like this feature has no priority.

    Another approach to make plugin deployment easier might be to copy the lookup views of the update site NSF ($Lookup OSGi features / loader / plugins) to your application database and modify their $FormulaClass field so that they display design documents instead of data documents. Next you write some code that imports content of an update site NSF into the database design of your application (e.g. by duplicating a page design element and copying all fields and attachments).

    The result is that your application database contains both the application code and all required plugins. You can them point the OSGI_DYNAMIC_BUNDLES variable to your application NSF. The code that loads the plugins does not care whether the lookup views contain data documents or design documents.