Notes/Domino XPages Development Forum - SessionCloner.getSessionCloner().getSession() notesagent You are not authorized to perform that operation

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

~Evelyn Brealitakoi

Nov 20, 2013, 12:38 AM

13 Posts

SessionCloner.getSessionCloner().getSession() notesagent You are not authorized to perform that operation

Category: Managed Beans in NSF
Platform: Windows
Release: 8.5.3
Role:
Tags:
Replies: 0

Summary:

Domino server 8.5.3 Windows server 2008 FP2.
When calling

    NotesAgent.runOnServer(noteid)

from a web browser in a Thread where agent is set to "run as web user", I am getting error "HTTP JVM: You are not authorized to perform that operation".

Detail:

All web requests come through 2 channels into our application, via a notes agent or via an xpage (that acts like an XAgent). We have a back end process that can take up to 20 seconds to complete, it is a call to a remote web service and we have no control over it. Due to requirements we can not queue these documents for a scheduled agent, they need to go immediately...or as immediately as the service will allow! The 2 main problems are: 1..the user has to wait up to 20 seconds, 2..the http thread is not freed up. During a busy time, we have seen the http thread pool saturate. What I have done in my test environment is send the request into the XAgent, this calls our backing bean which starts a separate thread, returns message to user. It's working great, http thread frees up immediately and a timely response for user and submission to web service proceeds "asynchronously".

The logic calling the web service is in LotusScript, converting to java would be a massive job as there are an enormous amount of interconnected processes in LotusScript. In the java thread the username is the server name, effectiveUserName is the authenticated http user, the thread calls a

    NotesAgent.runOnServer(noteid)

, which works, except the agent runs with credentials of the user that signed the agent. If we set the agent to "Run as web user", I get the error above.   As a test, I moved the code that triggers the NotesAgent.run() into the main "calling" function, which gets it's session via:

    JSFUtil.getVariableValue("session")

and this works as expected (user=server, http user=effective user). The thread session is got like this:

    this.module = NotesContext.getCurrent().getModule();
    this.sessionCloner = SessionCloner.getSessionCloner();
    NotesContext context = new NotesContext( this.module );
    NotesContext.initThread( context );
    session = this.sessionCloner.getSession();

...and as above, the effective User Name is the authenticated http user, the user name is the server name.

If I browse directly to the agent, e.g. .../myapp.nsf/myagent?openagent, the agent will run as the effective http user. I then put my test http user into the highest security group I have on my test server, same error. I then logged in as a server admin user (that has security settings for everything) and got same error.

On my test serrver I have: Domino\jvm\lib\security\java.policy when running the Job from the NSF:

grant {
   permission java.security.AllPermission;
};

Since I can trigger the agent via JSFUtil.getVariableValue("session") is there some security difference when getting a session via SessionCloner.getSessionCloner().getSession() ?

Thanks in advance.