I’m implementing a Java Program using the Domino Java API to check reading access rights on lotus notes documents using a root/administrator session (instead of creating a new session for each user - because of performance issues).
Because we weren’t able to find a central function to check the reading rights of a user (identified by the String representation of his account’s id) we see ourselves forced to reverse engineer the entire security architecture.
What form of security gaps will we introduce when identifying users only (!) by the string representation of their user account? Are there really no other means of checking user rights (e.g. in the form of ‘checkUserRight(Document d, String userId)’…?
Subject: Reverse Engineering Lotus Notes Security (using the Java API)
There is no easy way.
You will have to
build a list of all valid names (different user name formats, group names, and wildcards, and all assigned roles) for the user – and be sure that this list is constructed based on the same Domino Directory info that the server itself would used
read each note
read all items in the note and see if they are reader or author fields
read all entries in all reader/author fields and try to match them aginst the list of valid names for the user
Not that I’ve ever tried this, but it’s not clear to me that this would be faster than, as you say, creating a new session for each user. The Domino server code that enforces permissions does not have to move all that data across a network connection, and it is going to be far better optimized than anything you’re able to write with the available methods in the Java API.
Subject: Reverse Engineering Lotus Notes Security (using the Java API)
Can you be more specific in what you mean by ‘the String representation of their user id?’ Are you referring to the user name, such as ‘Tim Brewingtion/IT/Acme’ ?
Since you are implying that users may have access to different subsets of documents in the database, do you have some Authors or Readers fields with the user names stored?
If so, why not create a hidden view that sorts by these values, then your java program can perform a lookup against this view using the username as the key?