Poking Around With JavaSapi

May 19, 2022, 4:49 PM

Tags: dsapi java
  1. Poking Around With JavaSapi
  2. Per-NSF-Scoped JWT Authorization With JavaSapi
  3. WebAuthn/Passkey Login With JavaSapi

Earlier this morning, Serdar Basegmez and Karsten Lehmann had a chat on Twitter regarding the desire for OAuth on Domino and their recollections of a not-quite-shipped technology from a decade ago going by the name "JSAPI".

Seeing this chat go by reminded me of some stuff I saw when I was researching the Domino HTTP Java entrypoint last year. Specifically, these guys, which have been sitting there since at least 9.0.1:

JavaSapi class files in com.ibm.domino.xsp.bridge.http

I'd made note of them at the time, since there's a lot of tantalizing stuff in there, but had put them back on the shelf when I found that they seemed to be essentially inert at runtime. For all of IBM's engineering virtues (and there are many), they were never very good at cleaning up their half-implemented experiments when it came time to ship, and I figured this was more of the same.

What This Is

Well, first and foremost, it is essentially a non-published experiment: I see no reference to these classes or how to enable them anywhere, and so everything within these packages should be considered essentially radioactive. While they're proving to be quite functional in practice, it's entirely possible - even likely - that the bridge to this side of thing is full of memory leaks and potential severe bugs. Journey at your own risk and absolutely don't put this in production. I mean that even more in this case than my usual wink-and-nod "not for production" coyness.

Anyway, this is the stuff Serdar and Karsten were talking about, named "JavaSapi" in practice. It's a Java equivalent to DSAPI, the API you can hook into with native libraries to perform low-level alterations to requests. DSAPI is neat, but it's onerous to use: you have to compile down to a native library, target each architecture you plan to run on, deploy that to each server, and enable it in the web site config. There's a reason not a lot of people use it.

Our new friend JavaSapi here provides the same sorts of capabilities (rewriting URLs, intercepting requests, allowing for arbitrary user authentication (more on this later), and so forth) but in a friendlier environment. It's not just that it's Java, either: JavaSapi runs in the full OSGi environment provided by HTTP, which means it swims in the same pool as XPages and all of your custom libraries. That has implications.

How To Use It

By default, it's just a bunch of classes sitting there, but the hook down to the core level (in libhttpstack.so) remains, and it can be enabled like so:

set config HTTP_ENABLE_JAVASAPI=1

(strings is a useful tool)

Once that's enabled, you should start seeing a line like this on HTTP start:

[01C0:0002-1ADC] 05/19/2022 03:37:17 PM  HTTP Server: JavaSapi Initialized

Now, there's a notable limitation here: the JavaSapi environment isn't intended to be arbitrarily extensible, and it's hard-coded to only know about one service by default. That service is interesting - it's an OAuth 2 provider of undetermined capability - but it's not the subject of this post. The good news is that Java is quite malleable, so it's not too difficult to shim in your own handlers by writing to the services instance variable of the shared JavaSapiEnvironment instance (which you might have to construct if it's not present).

Once you have that hook, it's just a matter of writing a JavaSapiService instance. This abstract class provides fairly-pleasant hooks for the triggers that DSAPI has, and nicely wraps requests and responses in Servlet-alike objects.

Unlike Servlet objects, though, you can set a bunch of stuff on these objects, subject to the same timing and pre-filtering rules you'd have in DSAPI. For example, in the #rawRequest method, you can add or overwrite headers from the incoming request before they get to any other code:

1
2
3
4
5
public int rawRequest(IJavaSapiHttpContextAdapter context) {
    context.getRequest().setRequestHeader("Host", "foo-bar.galaxia");
        
    return HTEXTENSION_EVENT_HANDLED;
}

If you want to, you can also handle the entire request outright:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
public int rawRequest(IJavaSapiHttpContextAdapter context) {
    if(context.getRequest().getRequestURI().contains("foobar")) {
        context.getResponse().setStatus(299);
        context.getResponse().setHeader("Content-Type", "text/foobar");
        try {
            context.getResponse().getOutputStream().print("hi.");
        } catch (IOException e) {
            e.printStackTrace();
        }
        return HTEXTENSION_REQUEST_PROCESSED;
    }
    
    return HTEXTENSION_EVENT_HANDLED;
}

You probably won't want to, since we're not lacking for options when it comes to responding to web requests in Java, but it's nice to know you can.

You can even respond to tell http foo commands:

1
2
3
4
5
6
7
8
9
public int processConsoleCommand(String[] argv, int argc) {
    if(argc > 0) {
        if("foo".equals(argv[0])) { //$NON-NLS-1$
            System.out.println(getClass().getSimpleName() + " was told " + Arrays.toString(argv));
            return HTEXTENSION_SUCCESS;
        }
    }
    return HTEXTENSION_EVENT_DECLINED;
}

So that's neat.

The fun one, as it usually is, is the #authenticate method. One of the main reasons one might use DSAPI in the first place is to provide your own authentication mechanism. I did it years and years ago, Oracle did it for their middleware, and HCL themselves did it recently for the AppDev Pack's OAuth implementation.

So you can do the same here, like this super-secure implementation:

1
2
3
4
public int authenticate(IJavaSapiHttpContextAdapter context) {
    context.getRequest().setAuthenticatedUserName("CN=Hello From " + getClass().getName(), getClass().getSimpleName());
    return HTEXTENSION_REQUEST_AUTHENTICATED;
}

The cool thing is that this has the same characteristics as DSAPI: if you declare the request authenticated here, it will be fully trusted by the rest of HTTP. That means not just Java - all the classic stuff will trust it too:

Screenshot showing JavaSapi authentication in action

Conclusion

Again: this stuff is even further from supported than the usual components I muck around in, and you shouldn't trust any of it to work more than you can actively observe. The point here isn't that you should actually use this, but more that it's interesting what things you can find floating around the Domino stack.

Were this to be supported, though, it'd be phenomenally useful. One of Domino's stickiest limitations as an app server is the difficulty of extending its authentication schemes. It's always been possible to do so, but DSAPI is usually prohibitively difficult unless you either have a bunch of time on your hands or a strong financial incentive to use it. With something like this, you could toss Apache Shiro in there as a canonical source of user authentication, or maybe add in Soteria - the Jakarta Security implementation - to get per-app authentication.

There's also that OAuth 2 thing floating around in there, which does have a usable extension point, but I think it's fair to assume that it's unfinished.

This is all fun to tinker with, though, and sometimes that's good enough.

Commenter Photo

debbiekr4 - Jul 29, 2022, 9:34 PM

Hot teen pics http://schwenksville.danexxx.com/?zoe tight teen pussy porn videos free porn granny pictures full lenght vintage porn movies chinese soft porn pics jenna porn channel

Commenter Photo

Steveereby - Jul 31, 2022, 7:06 AM

Szia, meg akartam tudni az arat.

Commenter Photo

ArthurGag - Aug 1, 2022, 12:15 PM

Hi, amicable to meet you! Subcontract out me advance myselft 47 yr old Composer Cruz from Vanier, really loves making, and flower arranging. Constantly loves visiting spots like Hoi An Ancient Town https://ilovebuhurt.com/forums/users/handyman-cubandry5/

Commenter Photo

claudettesx60 - Aug 4, 2022, 7:43 AM

Scandal porn galleries, daily updated lists http://cuckold.porn.friendsville.hoterika.com/?taya king of wheelchair porn aym reid porn vidoe teentitan porn free vids toon porn bro and sis hardcore porn

Commenter Photo

stellagx1 - Aug 5, 2022, 10:09 AM

New super hot photo galleries, daily updated collections http://porn.athletes.instakink.com/?kelly

voyeur upskirt porn little gal porn viewable cell porn celebrity porn hilton sites porn sites

Commenter Photo

jeanettege18 - Aug 5, 2022, 6:00 PM

Free Porn Pictures and Best HD Sex Photos http://bdsmsm.xblognetwork.com/?delaney

list american black male porn stars hardcore porn big boobs exteme porn thumbs nastiest little porn free 1080 porn videos categories

Commenter Photo

latishakq4 - Aug 8, 2022, 12:29 PM

Scandal porn galleries, daily updated lists http://freegermanporncactus.hoterika.com/?marina big porn cum shots bettrina decapri free porn movies teen dose her first porn interveiw dilio porn brunswick georgia porn

Commenter Photo

reginaldqq69 - Aug 11, 2022, 2:32 AM

Daily updated super sexy photo galleries http://bootspornfree.retardedpornxxx.instakink.com/?melissa

teen titans totally spies cartoon porn male live porn big black butt anal porn porn fanny xxxx censorred horse porn

Commenter Photo

alfredobu1 - Aug 11, 2022, 8:02 AM

New hot project galleries, daily updates http://shemle.tssexvideos.allproblog.com/?amaya

free swinger porn tube layla rivera porn hermaphroditen porn naruto porn comices very crazy porn

Commenter Photo

bigpicVieme - Aug 16, 2022, 9:24 AM

Портал «Бигпикча» пользуется огромной популярностью у посетителей за счет того, что на нем находится только полезная, качественная и отборная информация в картинках. Мимо такого контента невозможно пройти, ведь его интригующие заголовки и удивительные картинки так и притягивают внимание своей недосказанностью. На сайте https://bigpicture.ru/ (агента оранж ) только полезные материалы, которые помогают разобраться в различных вопросах и получить массу ценной информации, о которой раньше вы и не догадывались. Этот портал создан для того, чтобы у вас всегда было отличное настроение, получили заряд положительных эмоций от просмотра новостей на самые злободневные темы. Рассматриваются самые разные аспекты жизни: шоу-бизнес, искусство, загадки и тайны прошлых лет, новости из мира фотографии и живописи. Так, спустя много лет, раскрываются самые удивительные тайны, о которых раньше даже боялись заговорить. Теперь все это доступно и вам – нужно лишь зайти на портал, который всегда рад посетителям. Подборка материалов вызовет огромный восторг у самых любопытных пользователей. Для лучшего усвоения они сопровождаются цветной, интересной картинкой. Вся информация подается в простой, лаконичной форме, чтобы она была понятна простому обывателю. Контент составленный высококлассными авторами, понравится всем, кто любит познавать и черпать информацию из достоверных источников. К важным преимуществам портала относят:

  • только интересная, честная, правдивая информация, которая понравится каждому;
  • регулярно добавляется новый контент;
  • новости на самые разные темы;
  • записи сопровождаются картинкой.

Вся информация нацелена на то, чтобы поднять уровень интеллекта, развить чувство прекрасного и помочь вам интересно и с пользой провести время. На сайте точно понравится как представителю рабочих профессий, так и учителям, бизнесменам, студентам, которые жадно впитывают всю информацию. Материал можно назвать эксклюзивным, ведь он присутствует только на этом портале. Для того чтобы не упустить интересные моменты, обязательно добавляйте портал в закладки. Специалисты сайта предпринимают все возможное, чтобы вы оставались с ними, а потому имеется материал «топ», а также лонгриды, истории, новости из сферы культуры и другое. Заходите на сайт почаще, чтобы получить больше удовольствия от просмотра и прокачать свои знания.

New Comment