Domino/Notes Version: Rel 12.0.2
Add-on Product (if appropriate, e.g. Verse / Traveler / Nomad / Domino REST API):
Its Version:
Operating System: Windows 10
Client (Notes, Nomad Web, Nomad Mobile, Android/iOS, browser version): Firefox browser
Problem/Query:
I have a primary database designed with xpages that runs in a browser. I also have a calendar database that is displayed in an iFrame in the primary database. This all works and the username displayed in the iFrame from the calendar db is the username I used to sign into the primary database.
I copied the calendar database to another customer installation, but in this case, the username in the iFrame is Anonymous, not the username I used to sign into the primary database.
What did I miss? I don’t recall making any security setting changes with the first example and the setup looks the same as this new setup. I don’t understand why the calendar db recognizes my username for the first example, but not this new one.
Both of these installations are running on my own development server, so the customer server setups do not apply.
Please set me straight.
Have a look at X-Frame-options security header for calendar databae. This might offer a clue. Delete the X-frame-options security header from calendar db to start with.
Also have a look at the access control for calendar db.
What is access control setting for Anonymous?
Look at the code that populates the username in the iframe containing the calendar interface.
What is the authentication system in place for your xpages server?
Is calendar db a standalone custom application or is it the calendar from user’s mail file? Are both these dbs hosted on same server?
I copied the calendar database to another customer installation
What is the implication of this statement?
Thank you for your prompt reply.
I don’t know what the “x frame options” are or where they would be.
The calendar db has default and anonymous set to Editor. Note that the calendar displays fine in the iFrame, but does not include any data because Anonymous does not have access to the primary db.
My iFrame url does not include a username, it just points to the db with a couple parameters
The authentication for my local develoment server is simply by my Notes ID/pw
I design and develop custom web based xpages applications. The calendar database is one I found online that will display data from a primary database using a calendar layout in an iFrame.
Yes, all my applications are running on my local Domino server.
By “copied to another application”, I mean that a few years ago, I used the calendar db for a customer and was able to set it up and it works fine. The username in the Calendar iFrame is my username. Just this week, I copied the calendar db to another customer file folder to use it for their application. I thought I had set it up the same, but for some reason, the calendar database does not have access to my primary db because the username in the calendar db is Anonymous, not my user id that I used to log into the primary db.
I hope this makes sense.
Both primary databases have Page Persistence set to “Keep pages in memory”, if that means anything.
X-frame-options would be found in the internet site document and could be set to deny, same origin or allow from uri .
I guess that your calendar xpage is displaying correctly minus the data. That means you havent made any x frame options setting since the calendar control is displaying. The data is not accessible.
You may like to have a look at the cosole log to see if there is an access error when you open this page.
Please check as to how you are passing the username and database name to the control in the iframe. Evidently, it will be username and db variables passed as a sessionscope variables from the main xpages application. This session scope variables from your main application may not be accesible to your calendar control in this context as it is a different application (xpage).
If you could send me some details of the calendar xpage , it would help.
Better still, why dont you just copy the calendar xpage into your main application and modify it and thereby get the iframe out of the equation.
Regards…
i too develope xpages applications and have developed a custom calendar xpage control to display calendar entries from a database in monthly, daily and weekly formats incl a list view.
I embed the control natively into the xpage and hence i frame is not required. I usually use i frame only to display pdf and image files inline in an xpage.
I don’t see any x-frame options in my Internet Site document.
I’m not passing my username in the iframe url, just some basic parameters. I’m not passing or expecting sessionscope vars in the calendar db, so this isn’t an issue. Yes, there is an error on the console when I attempt to display the path of my primary database from the calendar db. The calendar database cannot access the primary database because the calendar database is running under Anonymous and not my user id - which is the reason for my post.
As I mentioned, I have this setup working for another customer and I set this one up the same (or so I thought) but I’m missing something because for my first customer, the calendar db recognizes my user id, but in this new setup, it doesn’t.
The calendar db contains alot of code to run the calendar page, so it’s advantageous to keep it in its own database. I would have to copy forms, views, shared columns, script libraries, agents… it’s better to just keep all that in its own database.
The Calendar db I have came from OpenNTF about 15 years ago. Would you be willing to share your calendar xpage? Perhaps it’s a better solution than the one I’m using.
The xframe options and other security headers like conent security policies will need to be added as rules in the internet site document. Since in your setup, you do not see them, it means you do not have any setting that restricts the iframes. So all is ok.
Ok i will share the calendar xpage by EOD today. I will send you a working sample tailored to your need. I will need the basic context of the calendar entries. Where are they coming from?
Is it the users mail file? Or some other view displaying the calendar entries. Are entries common to all users or are specific to users.
What are the columns in the view which has the calendar entries. this one is important.
Regards
The calendar entries are documents created within the primary database and displayed in specific views designed for the calendar. My applications use custom created calendar entry documents, they have nothing to do with user mail files.
The columns in the calendar views include basic information, such as
date/time start
date/time end
subject
tooltip text
Ok, will send you the xpage / control for this scenario today after modifying the code.
Regards
Hi robert
Could you please goto event calendar tab of following url
Ogsoftwares.in/collabro.nsf
Username : bpozsgai
Pw: abcd1234
Have a look at the event calendar interface and see if this is what you want?
If yes then i will make the effort of separating out the relevant xpage minus the redundent global scripts, themes and stylesheets and send the code to you just for the portion you need. This will minimize your effort to reuse the xpage and embedded controls.
i have created the relevant db for you. The size is large. Could you share your email so that i can send it. You will find mine in my profile.
Please see your mail. I have sent the db to you. You will need to do some effort on that to make it usable in your application.
Hope it helps.
Regards
Hi robert
I simulated with other databases in an iframe in xpages. It works seemlessly.
In case the url for the iframe points to a resource you do not have access to it should offer you a login screen inside the i frame as per your server settings and domcfg config.
You may try setting Anonymous to No Access in your calender database.
Also add a few print statements inside your calendar control for debugging purposes. The issue seems to be there.
Hi robert
I simulated your scenario on some other database.
Case 1: webcalender.nsf has access control : default: editor anonymous : anything you wish
The iframe works correctly
Case 2 : default : no access
Your logged in user id : not covered individually or as group
Anonymous: editor
System fails
This is because even if you are logged in as a valid user and have an auth session with domino server, inside the iframe you are anonymous and the session map of webcalender.nsf treats you as anonymous. Hence the access issue as shown in your slide.
Make sure the logged in user has explicit access to webcalendar db or a group access or default is set to editor. Anonymous can be no access.
Basically if your effective access to webcalendar db is as Anonymous, you will be treated as anonymous within the i frame
Specifically, check for the access level of your testing userid into your webcalender db
Hope this helps