Hi,
I am just starting to play with the system. We keep our data in IBM Domino databases. Domino can return XML without any difficulty, so it seems as though Laszlo should be able to handle that easily.

What I am not sure about is how we do the authentication.

The Domino server maintains the address book for authentication. All requests for data must first have passed through a username/password challenge.

For a Laszlo app, would we point the client browser to the Domino server, which then redirects to the Laszlo server? If so, how do we authenticate the data requests from the Laszlo server, i.e. when the server asks for the XML data.

Does the question make any sense ?

Hey Andy

This is HTTP authentication, right? i.e. the username and password are sent via the headers.

-Antun

Correct, just HTTP

Hi Andy,

HTTP response headers, which include cookies, will be returned to your browser when data requests are made.

In your case, authenticate your application by calling your Domino server with a username and password. Once a session cookie has been set, future data requests to your Domino server will be sent with the set session. However, you must ensure that your Laszlo server and your Domino server are in the same domain.

pablo

Hmmm, that could be slightly tricky. We want to outsource the Laszlo server (we already do that with our Domino machines). We use Easydns to hold all our dns entries, so it may be possible. Failing that, is there a way of dealing with the problem when the machines are split across domains?

Also, is it the Laszlo server which requests the XML data and then transmits it to the browser, or does the browser request the data directly from the Domino box - with the client-side laszlo code handling the parsing?

All data requests go through the Laszlo server. The server handles the parsing and encoding of the data that is returned to the client. The server also behaves like a proxy in that it forwards request and response headers.

Just to clarify, what does your server architecture look like? Are you planning on having the Laszlo server and Domino servers on different domains?

Hi Andy,

In Laszlo apps, it is in fact possible to implement HTTP authentication against a server in a different domain from that of LPS. However, it does require a little more work, and there is a limitation in the current product (DR).

Basically, the approach involves manually retrieving the session cookie from the remote server authentication response, and then passing it with every future request to that server. The LZX API gives the developer full access to request and response headers, in which cookie values are included.

After your Laszlo app performs the initial user/password authentication request via an http dataset, it can retrieve and cache the session cookie value returned in your authentication server's response. In future requests to the same server, you just need to insert the saved cookie value in the request header before the request is invoked in order to properly identify the authenticated user. (Let me know if you're at a point where you'd like an explicit code example.)

In a future release of LPS, this behavior will be automatic -- LPS should handle this cookie passing transparently to the developer. (As noted, it already does this transparently for the single domain scenario.)

The limitation I mentioned is that even with this cookie handling, your Laszlo app will not persist the user identification across multiple Laszlo sessions -- i.e., you have to perform the authentication each time a Laszlo app begins. The reason for this is actually due to the security restrictions within your browser. (Basically, a cookie can't be written for a host other than the one from which the current site originates.) This is a problem that is under investigation, and again, we hope to resolve it in a future release.

Hope this helps,
Jerry

Thanks guys, that clears it up in my mind.

The server architecture would probably involve servers in different domains. The Domino machines are hosted on big Unix boxes, and the company only hosts Domino. I am looking for someone to host the Laszlo box, so they could be anywhere.

The cookie handling code doesn't sound too bad, at least it would allow us to get round the problem. I don't think the inter-session persistance problem would be an issue. From a security perspective, that is how we would want it to behave.

I need to go and try some basic experiments with the Laszlo system. As soon as I have done those, I will come back to you on the code examples.
Thanks
AB