Tips Week 2.5 - Secure RSS Feeds With Domino
My tips have dried up I'm afraid. Instead, today, I've got a lesson I learnt recently, which is worth passing on. It's of use to anybody who might encounter the following in a project - SSL, RSS and session-based authentication.
First a lesson in SSL. When a browser makes a SSL request to a server, the server doesn't know what address it's looking for. It only know the IP address of the request. This is because it can't decrypt the request's headers until it finds the right key to use. For Domino this means finding the right Internet Site document, as there's potentially a different key in each one. To do this it has to match the site by IP address. So, if you're using SSL with an Internet Site document you have to store the server's IP address in there, along with the FQDN of the server. Like so:
This is all very well until you start using RSS. RSS and session-based authentication don't mix. Let's say you have an extranet where Anonymous has no access and there's an RSS feed at the address:
https://extranet.company.com/site.nsf/rss.xml
The user will have to login before they see it. No problems there. But, there's a big but. But, what if the user is not a user? What if it's an aggregator? For example, I use FeedDemon (FD) to keep up-to-date with RSS feeds.
If I ask FD to create a new "channel" using the above address it can't. Why? Because it expects XML back from the server. Instead, Domino returns HTML in the form of a login page. FD doesn't know this is a call for authentication, assumes the feed has a problem and leaves it there.
However, FD does support authentication, along with others. To do so it requires one thing — the server returns HTTP Status Code 401. At this point of the signup process we see a login box, like this:
Session-based authentication doesn't return a code 401 though. However, normal non-session-based authentication with Domino does. So, we need to turn off session-based auth for the RSS feed. How do we do this while keeping session-based auth for the normal site?
Well, there's only really one way to do it. We need to bind an additional IP address to the server and add an extra entry to the DNS for it, like so:
192.168.0.101 extranet.company.com 192.168.0.102 rss.extranet.company.com
Now we can add an extra Internet Site document where session-based auth is disabled. The document would look something like this:
The address for the feed would then become:
https://rss.extranet.company.com/site.nsf/rss.xml
Does that make sense? I hope so. It just took about an hour to write all that. Hopefully it will be of use to somebody (some of it apples to non-secured RSS feeds where authentication is required) If anybody knows of a better way to do it, please tell.
Further Reading:
You can also do the following:
Point the feed reader at
h t t p (s)://yourwebaddress/names.nsf?login&Username=YOURUSERNAME
&Password=YOURPASSWORDHERE&RedirectTo=/subdir/Feeds.nsf/rss.xml?openpage&category=All
Since your credentials are sent clear text anyway ;o)
You could do Jonathan, but that's not really something you can sell to a customer or expect them to ask their users to do is it?
As developers we all know the credentials are sent this way, but there's no need to alarm the user with this fact. Better to let them believe otherwise and remain oblivious.
How would you add the RSS feed icon to the site, with their password (from the NAB) included in it, so that they could right-click-copy the URL to their aggregatorr?
That might be old hat to the admins that read this, but as someone that will be running into this issue in ... a couple months, I'm impressed!
Thanks Jake!
Great stuff!
I was pulling my hair out a couple of months ago and then gave up trying to do what you just described.
Thanks!
Bill + Jens. Thanks. Glad to know it helped. I now know it wasn't an hour wasted.
Thanks, Jake. I'm not hitting this yet, but I'm pushing a client to adopt more Domino, so having this little tidbit in the back of my mind could prove quite strategic. :-)
Is it just me, or did the font shrink a lot today? It appears to be smaller than in the past. As a fairly recent lasik patient, things like this freak me out and I find that I'm staring at the sign on my wall to make sure I can read it.
Thanks, Jake! I'd planned on tackling this in the near future and once again you came in with some much-needed advice and guidance.
Old hat to the admins that read this? Well, I can't be a very good admin then as I've never come across this.
Interesting post, nice workaround.
Sorry to revive this after so long but I missed it first time round. This looks a fairly painless way to avoid session authentication for a server or domain but if SSL is also used on the host databases does this mean you have to provide a separate SSL server certificate for the rss.extranet.company.com domain?
Yes, Mark, as far as I know you need two SSL certs if you want to have this extra subdomain added. Or can you buy a cert for *.mydomain.com? I can't remember.
Jake
Yes, you can buy a cert for *.mydomain.com.