Lotus Domino and Apache Tomcat - Single Sign On (SSO)
Last updated on 2005-10-06
   
Version 2.4.8, Oct 06 2005
Introduction
This article introduces a Single Sign On (SSO) technique between Lotus Domino 6.5.3 and Apache Tomcat 5. These web servers do not share SSO in the traditional sense. In fact, we can‘t really call it SSO. It‘s more of an "integration" technique for these two technologies, and it works very well.
Lotus Domino uses cookie-based authentication. When you authenticate with a Domino web server, an Ltpa Token is stored in your web browser as a cookie. Apache Tomcat uses its own form of authentication and can not reuse the Domino Ltpa Token for authentication. (LTPA is light-weight third party authentication)
-- Brian Green
Our Goal
It‘s possible to "integrate" the two web servers. The user will authenticate only once, and may then access the Domino and Apache Tomcat web servers.
Example Scenario
Suppose you have two web servers. One server runs Lotus Domino 6.5.3, and the other runs Apache Tomcat 5. Their host names are domino., and tomcat.. These are both stand-alone servers. They could be running on the same hardware, or on separate hardware. They are independent web servers with unique host names.
When a user opens a web page on domino., or on tomcat., the user is forced to authenticate. The user enters their Domino password once, and may then view web pages on both domino. and tomcat.. When the user has a valid LtpaToken, they may navigate between the participating Domino or Tomcat servers. This is also true with WebSphere servers that have SSO configured to work with Domino. It should also be compatible with Tivoli Access Manager.
Of course, Tomcat could use Domino‘s LDAP directory for authentication. However, this would not give you an LtpaToken.
| Host name |
Authenticate using |
Web server technology |
| domino. |
domino. |
 Lotus Domino 6.5.3, or later versions |
| tomcat. |
domino. |
 Apache Tomcat 5.0.28,  Java 1.4.2_08
-or-
Apache Tomcat 5.5.9, Java 1.5.0_03
-or-
later versions |
NOTE - This technique does NOT use the "Domino Tomcat Redirector"
You may be familiar with the Domino Tomcat Redirector. It allows you to replace Domino‘s Java Servlet Engine with Apache Tomcat. When Domino receives a JSP/Servlet request, it will pass the request to the "third party servlet engine". This allows you to have a single host name for both Domino and Apache Tomcat. (The disadvantage is that a Tomcat-crash can also crash the Domino server, and there is additional complexity for your Domino administrators to understand and maintain.) For more information, see Apache‘s Domino HowTo.
The article below refers to a standard install of Domino, and a standard install of Apache Tomcat. There‘s nothing special about their installations, and therefore, there is much less complexity.
Domino Developers
Java technology will give your Domino skills a big boost. I recommend reading the book Head First Servlets & JSP as an introduction to the Java/J2EE universe. It will help you understand how J2EE applications are constructed. Here‘s a review by Thomas Duff.
NOTE: Your Domino server must be 6.5.3 or later. Lotus corrected two Java methods: Session.getUserNameList() and Session.getUserGroupNameList() . These methods are "bugged" in previous versions of Domino.
Web Developers
In short, you‘re just adding a Filter to your application‘s web.xml file. Add a couple JAR files, edit your web.xml, and you‘re done! Wrap it all up as a .WAR file if you wish, and then deploy your application.
When the user has a valid LtpaToken, you can extend your web application with Domino‘s JSP Tag Library. Read on...
We (Automated Logic Corporation) use this on 3 production Tomcat servers, and hope you will also find it useful!
Overview of Domino and Tomcat SSO "integration"
Please refer to diagram below. When a web page is requested, Tomcat checks the user‘s session for a DominoUserProfile object. This tells Tomcat about the user. If the user has a DominoUserProfile and an LtpaToken, they are considered to be authenticated and may view the web page. If not, the user is redirected to a Login Form where the user enters their Domino Internet username and password. These credentials are submitted to a Login Servlet on the Tomcat server. If the login was successful, then the Servlet will give the user a new LtpaToken, and redirect the user to the requested web page. Otherwise, the user is redirected to the Login Form where they can read additional help.
If the user has already authenticated with a Domino web server, the user will already have an LtpaToken, and will not be prompted to login to Tomcat.
DOMINO SERVER SETTINGS
You may need to edit the web configuration of your Domino server. It must have "session authentication" set to use "multiple servers (SSO)".
In short, this allows the LtpaToken cookie set by the host domino. to be read by other hosts in the same domain -- like tomcat..
The "diiop" task must be running on the Domino server. You should read the Domino Administrator Help for complete information. Here are some examples from the Domino Directory.
Domino Server Settings - The Domino "Server" document, located in names.nsf
If you are running Domino and Apache Tomcat on the same hardware, you must "bind" Domino to the host name(s).
Domino Server Settings - Web SSO Configuration
Domino Server Settings - Web Site - basics tab
Domino Server Settings - Web Site - domino web engine tab
Domino Server Settings - IIOP - basics tab
Domino Server Settings - IIOP - security tab
Domino Server Settings - HTTP Server: Error loading Web SSO configuration
Restart your Domino server. Do you see an error message like the following?
"HTTP Server: Error loading Web SSO configuration ‘LtpaToken‘ (Single Sign-On configuration is invalid)."
"HTTP Server: Error loading Web SSO Configuration ‘LtpaToken‘ for Web Site ‘XYZ‘ (Single Sign-On configuration is invalid)"
If you see an error message on your Domino server console, please search for Technote 1106654 at this address:
http://www-950.ibm.com/search/SupportSearchWeb/SupportSearch?pageCode=SBS&brand=lotus
ABOUT APACHE TOMCAT
You should already have some knowledge of Apache Tomcat. Visit the Apache web site for additional information.
NOTE - The HTTP and DIIOP ports must be open between Apache Tomcat and Lotus Domino. By default these are ports 80 and 63148.
If you‘re running Domino on Linux, your DIIOP port may be 60148. If you‘d like to use the traditional port number on Linux, you must tell the Domino server to "ignore port limits on Linux". See DIIOPIgnorePortLimits.
STEP #1 - APACHE TOMCAT CONFIGURATION
Optional. If you are running Domino and Apache Tomcat on the same hardware, you should "bind" Tomcat to a specific IP address. You can do this by adding an "address property" to the "connector" tag.
Edit the server.xml file on your Tomcat server. For example, D:\Tomcat5\conf\server.xml
If you need an XML editor, try Notepad++.
Here is an example of a "connector" tag. Notice the "address" property.
<Connector port="80" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
debug="0" connectionTimeout="20000" disableUploadTimeout="true"
address="172.16.90.4" />
STEP #2 - APACHE TOMCAT CONFIGURATION
Download the files located at the top of this article: dominoapp.zip, login.zip
Extract each ZIP file to Tomcat‘s "webapps" folder. For example, D:\Tomcat5\webapps
You should have two new folders: dominoapp, and login.
"dominoapp" is a sample application. You‘ll need it to follow the examples in this article.
"login" contains the login form. When you create your own applications, they will need this login application, or one that you create.
STEP #3 - APACHE TOMCAT CONFIGURATION
Find web.xml in the dominoapp application. For example, D:\Tomcat5\webapps\dominoapp\WEB-INF\web.xml
Locate the "filter" information. Replace "domino." with your Domino server‘s host name.
<filter>
<filter-name>DominoLoginFilter</filter-name>
<filter-class>com.automatedlogic.domino.sso.DominoLoginFilter</filter-class>
<init-param>
<param-name>DominoDIIOPConnection</param-name>
<param-value>domino.:63148</param-value>
</init-param>
<init-param>
<param-name>DominoTomcatLoginContext</param-name>
<param-value>/login</param-value>
</init-param>
<init-param>
<param-name>DominoSecurityGroupName</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>DominoPersonDetail</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>DominoTomcatLoginDebug</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>DominoLoginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
When a user requests any page matching the url-pattern, Tomcat will run the filter-class. It‘s the filter-class that will decide if the user may continue, or if Tomcat should direct the user to a login page.
The filter requires two parameters. The first, DominoDIIOPConnection, is the host and port address of the Domino server. The Domino server must be running the DIIOP task. The second parameter, DominoTomcatLoginContext, is the "context path" to your "login" application. That‘s where the user will be redirected if they are not logged in.
The third parameter, DominoSecurityGroupName, is optional. Use it to restrict access to members of a Domino Directory group. When you specify a group name, the user must be a member of that group. Leave the parameter blank to grant access to all authenticated users.
Here are some examples when using DominoSecurityGroupName.
<!-- Restrict access to members of the "Marketing" group found in the Domino Directory. -->
<init-param>
<param-name>DominoSecurityGroupName</param-name>
<param-value>Marketing</param-value>
</init-param>
<!-- Restrict access based on the user‘s hierarchal name. For example, Jane Smith/Corporate/ACME would have access. -->
<init-param>
<param-name>DominoSecurityGroupName</param-name>
<param-value>*/OU=Corporate/O=ACME</param-value>
</init-param>
<!-- Restrict access to members of the "Marketing" or "Sales" groups. Separate each group name with a semi-colon. -->
<!-- When you specify more than one group, the user must be a member of at least one group. -->
<init-param>
<param-name>DominoSecurityGroupName</param-name>
<param-value>Marketing; Sales</param-value>
</init-param>
The fourth parameter, DominoPersonDetail, is optional. It determines how much detail will be stored in the DominoUserProfile.
1 = All. Store the user‘s name, groups, and other information from the Domino Directory. For example, phone numbers, mailing address, etc., from the user‘s Person document. (This is the default.)
0 = Subset. Store only the user‘s name and groups.
The last parameter, DominoTomcatLoginDebug, is optional and will add login information to your Tomcat log.
Here‘s a picture from my desktop. I‘m using IntelliJ IDEA for Java development.
STEP #4 - APACHE TOMCAT CONFIGURATION - OPTIONAL
This step is optional. It is needed to follow the examples later in this article.
You‘ll see another DominoDIIOPConnection setting in web.xml. Replace "domino." with your Domino server‘s host name.
Later in this article you‘ll see an example JSP where this setting is needed. The example page is named domino.jsp.
<!--
A context-param defines a shared String constant. The example page domino.jsp must know how
to connect to the Domino server.
The param-name shown below, DominoDIIOPConnection, is used on domino.jsp to open a
DIIOP connection to the Domino server. This is the host name and port for Domino authentication.
For example, domino.:63148
When you have many web pages like domino.jsp, it‘s easier to define the Domino server information in one place.
You can then reference the same information on many web pages.
-->
<context-param>
<param-name>DominoDIIOPConnection</param-name>
<param-value>domino.:63148</param-value>
</context-param>
STEP #5 - APACHE TOMCAT CONFIGURATION - OPTIONAL
This step is optional. It is needed to follow the examples later in this article.
You may wish to include a logout button on your web pages. In web.xml, edit the settings for the Servlet named "DominoLogoutServlet".
Edit the param-value for "LtpaTokenCookieDomain". Replace "" with your root host name.
Later in this article you‘ll see an example JSP where this setting is needed. The example page is named userinfo.jsp, and includes a logout button.
<servlet>
<servlet-name>DominoLogoutServlet</servlet-name>
<servlet-class>com.automatedlogic.domino.sso.logout.DominoLogoutServlet</servlet-class>
<init-param>
<param-name>RedirectTo</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>LtpaTokenCookieDomain</param-name>
<param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>DominoLogoutServlet</servlet-name>
<url-pattern>/logout</url-pattern>
</servlet-mapping>
Additional information about the DominoLogoutServlet
The servlet will delete the user‘s LtpaToken cookie, remove objects from the user‘s session, and finally redirect the user to a web page.
Two parameters are required. The first, RedirectTo, is a URL where the user will be redirected after the Logout. This can be a relative URL, or a complete URL. For example, "/thankyou.html". If this param-name is blank or missing, the user will be redirected to "/".
The second parameter, LtpaTokenCookieDomain, is the domain name of the LtpaToken cookie. For example, "".
If this param-name is blank, missing, or inaccurate, then the LtpaToken cookie will not be deleted, and the user will remain authenticated.
Check your Domino server for the proper setting. See Domino Directory > Configuration > Web > Internet Sites. Look at the "Web SSO Configuration" document. Look at the value for "DNS Domain". If the value for "DNS Domain" is ".", then your setting for LtpaTokenCookieDomain must be "". Notice there is not a "." preceding "".
Your "logout" button should link to the address: /<context-path>/logout
For example, /dominoapp/logout
STEP #6 - APACHE TOMCAT CONFIGURATION
Find web.xml in the login application. For example, D:\Tomcat5\webapps\login\WEB-INF\web.xml
Edit the param-value for "DominoDIIOPConnection". Replace "domino." with your Domino server‘s host name.
Edit the param-value for "LtpaTokenCookieDomain". Replace "" with your root host name.
<servlet>
<servlet-name>DominoLoginServlet</servlet-name>
<servlet-class>com.automatedlogic.domino.sso.login.DominoLoginServlet</servlet-class>
<init-param>
<param-name>DominoDIIOPConnection</param-name>
<param-value>domino.:63148</param-value>
</init-param>
<init-param>
<param-name>LtpaTokenCookieDomain</param-name>
<param-value>
</init-param>
<init-param>
<param-name>DominoTomcatLoginDebug</param-name>
<param-value>1</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>DominoLoginServlet</servlet-name>
<url-pattern>/DominoLoginServlet</url-pattern>
</servlet-mapping>
The user will enter their username and password in a login form. The form is sent to the Servlet named "DominoLoginServlet", where the user information is verified, and an LtpaToken is saved to their web browser. The user is then redirected to the web page they requested.
STEP #7 - APACHE TOMCAT CONFIGURATION
Find a copy of NCSO.jar. You can find it on your Domino Server (6.5.3 or later). It‘s very important that your version of NCSO.jar matches your Domino server. When the Domino server is upgraded, you should get a new copy of NCSO.jar for your Tomcat applications. Don‘t use an older version. (If you have a Domino Designer client, and it‘s the same version as your Domino server, you can get a copy of NCSO.jar from that client.)
Copy NCSO.jar to the "dominoapp" location for .jar files. For example, D:\Tomcat5\webapps\dominoapp\WEB-INF\lib
Copy NCSO.jar to the "login" location for .jar files. For example, D:\Tomcat5\webapps\login\WEB-INF\lib
STEP #8 - APACHE TOMCAT CONFIGURATION
Restart your Apache Tomcat server. Open a web browser, and the "dominoapp" application. For example, tomcat./dominoapp
If the user is requesting a web page that matches the filter (see step #3), Tomcat will load the filter-class com.automatedlogic.domino.sso.DominoLoginFilter. If the user has not been authenticated, they will be directed to the /login application. This is where login.jsp will be opened. The user is prompted for their username and password. They will then be redirected to the web page they were attempting to open.
Features of the Login form:
- If the user‘s web browser has Cookies disabled, a message will appear on their login form. Cookies are required for the LtpaToken.
- When the user enters an incorrect login, the login page will display additional help. The Tomcat session will contain an object named DominoLoginFailure. This will give you the exact Lotus Domino error code and error message.
- You can customize the login form by editing web.xml. You can change the "welcome message", and show a graphic.
Next you‘ll see some example JSP pages.
JSP Example #1 - Using the DominoUserProfile object
When the user is authenticated, a special object is stored in the user‘s Tomcat session. The object is named DominoUserProfile. It contains information about the user. You may reference this object in your Tomcat applications.
Open the page "userinfo.jsp" in your "dominoapp" application. For example, tomcat./dominoapp/userinfo.jsp
It‘s an example JSP showing some properties and methods of the DominoUserProfile object. For example, all the groups in the Domino Directory where the user is a member. You could, for example, use the Group information to conditionally show/hide information in your JSP pages.
JSP Example #2 - Using the Domino JSP Tag Library
Please read the Domino Designer Help for more information on the JSP tag library.
This is a very short introduction to the tag library. You‘ll see how a JSP can display Domino data. First you must find a copy of these files: domtags.jar, domtags.tld, and domutil.tld. You can find them on a computer with the Domino Designer client.
Add the file dominotags.jar to the "lib" folder. For example, D:\Tomcat5\webapps\dominoapp\WEB-INF\lib
Add the files domtags.tld and domutil.tld to the "tlds" folder. For example, D:\Tomcat5\webapps\dominoapp\WEB-INF\tlds
Restart your Apache Tomcat server.
Next, add this database to your Domino server.
Now you‘re ready to follow the example. Open the database in a Lotus Notes client, and open the "tomcat" view. Notice that it‘s a categorized view. You‘ll see how a JSP page can display documents from the "Cartoon" category.
Open domino.jsp. Read the code comments.
<%@ page import="com.automatedlogic.domino.sso.DominoUserProfile"%>
<%@ taglib uri="domtags.tld" prefix="domino" %>
<%@ taglib uri="domutil.tld" prefix="domutil" %>
<%
ServletContext context = this.getServletConfig().getServletContext();
DominoUserProfile dominoUserProfile = (DominoUserProfile) session.getAttribute("DominoUserProfile");
String dominoView;
dominoView = "tomcat";
String dominoViewCategory;
dominoViewCategory = "Cartoon";
String thisDocumentTitle;
%>
<html>
<body>
<!-- Use the dominoUserProfile if you need information about the user.-->
Hello, <%= dominoUserProfile.getCommonName() %>.
<br/><br/>
<!-- Open the Table tag -->
<table border="1">
<!-- The current web user has an LtpaToken. Open a session to the Domino server, and use "*webuser" to specify the current user. -->
<!-- The value for "host" is defined in web.xml. For example, domino.:63148
When you have many web pages like domino.jsp, it‘s easier to define the Domino server information in one place.
You can then reference the same information on many web pages. -->
<domino:session
id="mySession"
user="*webuser"
host="<%= context.getInitParameter("DominoDIIOPConnection") %>"
debug="false"
onfailure="inline"
time="true">
<!-- Open a categorized View in the Domino database. Find all documents in a specific category (key). -->
<domino:view
id="myView"
dbname="jspdemo.nsf"
viewname="<%= dominoView %>"
key="<%= dominoViewCategory %>"
keytype="string"
keyexact="true"
debug="false"
onfailure="inline"
time="true">
<domino:viewloop id="myViewLoop" start="1" count="99">
<!--
Example #1 - Get Domino data and place it in a new table row.
The following two lines get the value in the second column,
and store the value in "thisDocumentTitle".
A new row is added to the table with the value.
-->
<domino:viewitem id="CaseCategoryDesc" col="2" format="RAW"/>
<% thisDocumentTitle = CaseCategoryDesc.toString(); %>
<tr><td colspan="2" align="center"><b> <%= thisDocumentTitle %> </b></td></tr>
<!--
Example #2 - In the Domino view, the 3rd column uses this formula:
"<tr><td>" + Title + "</td><td>" + Description + "</td></tr>"
Return the raw text from the Domino view‘s 3rd column.
In this example, all of the HTML is calculated from the Domino view.
-->
<domino:viewitem col="3" format="RAW" />
</domino:viewloop>
<domino:novalues>No Documents Found.</domino:novalues>
</domino:view>
</domino:session>
</table>
</body>
</html>
Open domino.jsp in your web browser. For example, tomcat./dominoapp/domino.jsp
You should see the following web page.
Edit some of the documents with your Lotus Notes client, and then refresh your web browser. Kewl, huh?
JSP events:
- Open a DIIOP connection to the Domino server, as the current web user.
- Look in the View "tomcat".
- Return all documents in the category "Cartoon".
- Add information from each document to the JSP page.
Domino‘s JSP Tag Library allows you to display Domino data inside the web page. Information is created dynamically based on the web user‘s Domino security access. This is a very powerful feature in your Tomcat applications. In the previous example, the JSP returned 4 documents from the "Cartoon" category. The user has reader access to all 4 documents. To hide documents from some users, you could edit the design of the Domino database and add "Reader" security to documents. The Tomcat user must have Reader access to a document, or it will not appear on their web page. This is true even if the Document is in the "cartoon" category. Domino security inside a JSP!
REVIEW - How would you add Domino SSO integration to another Tomcat application, like the dominoapp example?
Let‘s review. You added two new applications to your Tomcat server. They are /login and /dominoapp.
The /login application can be used for many Tomcat applications. The user will only need to authenticate once, and may then access each application.
The /dominoapp application showed you some example JSPs. In one example, userinfo.jsp, you saw an example for using the DominoUserProfile object. In the other example, domino.jsp, you used Domino‘s JSP tag library to display real-time Domino information inside the JSP.
How would you add Domino SSO integration to another Tomcat application, like the dominoapp example? It‘s very easy:
STEP #1 of 2
Add NCSO.jar and dominosso.jar to your application‘s WEB-INF\lib folder. For example, myapp\WEB-INF\lib
As an alternative, you could place these shared .jar files in Tomcat‘s shared library. For example, D:\Tomcat5\shared\lib
STEP #2 of 2
Edit web.xml in your new application. For example, myapp\WEB-INF\web.xml
Add a new "filter", and "filtermapping". Replace the text "domino." with your Domino server‘s host name.
<filter>
<filter-name>DominoLoginFilter</filter-name>
<filter-class>com.automatedlogic.domino.sso.DominoLoginFilter</filter-class>
<init-param>
<param-name>DominoDIIOPConnection</param-name>
<param-value>domino.:63148</param-value>
</init-param>
<init-param>
<param-name>DominoTomcatLoginContext</param-name>
<param-value>/login</param-value>
</init-param>
<init-param>
<param-name>DominoSecurityGroupName</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>DominoPersonDetail</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>DominoTomcatLoginDebug</param-name>
<param-value>0</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>DominoLoginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
ADVANCED - MULTIPLE FILTERS
Let‘s say your application is named "myapp". D:\Tomcat5\webapps\myapp
In web.xml for "myapp", you add a single Filter. It allows any Domino-authenticated user to view the application.
| filter-name |
url-pattern |
DominoSecurityGroupName |
Example URL |
| DominoLoginFilter |
/* |
(blank) |
tomcat./myapp/index.html |
Your application also contains a folder named "admin". D:\Tomcat5\webapps\myapp\admin
You‘d like to restrict access to the folder. Only users listed in the Domino Directory‘s "Administrators" group should have access to this "admin" folder. You add a second filter to web.xml.
| filter-name |
url-pattern |
DominoSecurityGroupName |
Example URL |
| DominoLoginFilterAdmin |
/admin/* |
Administrators |
tomcat./myapp/admin/index.html |
Each Filter defines a different url-pattern for your application, and could also define a different Domino Directory group (or groups) for security.
For example, any authenticated user can open the application root "/", but only users in the Domino Directory "Administrators" group can access the "/admin" area.
ADVANCED - Additional options for login redirection
The example "login" application prompts the user for their Domino username and password. They receive a new LtpaToken and are redirected back to the web page they requested. This "login" application runs directly on your Tomcat server. The web user does not communicate directly with a (public facing) Domino web server.
Some companies prefer that users authenticate with a central "login server", where they receive an LtpaToken, and are redirected back to the web page they requested. You can determine how the Tomcat server redirects users for authentication by editing the web.xml settings.
Look at the DominoTomcatLoginContext parameter.
If you define a relative URL, like "/login", the user will be redirected to that application on the current Tomcat server.
However, you can also define a complete URL, like
https://login./. This would redirect the user to another web server for authentication.
In both cases, the URL will contain a parameter named "page". The parameter contains the URL that the user is attempting to open. When login is complete, the user can be redirected back to this page.
You can change the parameter‘s name to something different. For example, you may wish to change it to "RedirectTo". This is determined by the DominoTomcatLoginContextParam value in web.xml.
For Domino users, you may wish to redirect the user to a regular Domino server‘s login page. For example, your setting for DominoTomcatLoginContext would be
https://domino./names.nsf?login, and your setting for DominoTomcatLoginContextParam would be "RedirectTo". The Domino server‘s regular login page will look for this RedirectTo parameter, and redirect the user after login is complete.
Here‘s another JSP example. It uses a product called Swiff Chart Generator to dynamically create Charts as Flash objects. (Kidos to Mike Golding for introducing me to Swiff Chart.)
About Swiff Chart
Dynamically serve eye-catching animated charts from ASP, PHP, JSP and ColdFusion. Query data from a database, apply your own style template created with Swiff Chart and instantly generate high-impact charts in Macromedia Flash format, PNG/JPG format and SVG/PDF format.
Click Here to see the animated chart. You must have the Flash plug-in installed.
In this example JSP, you connect to a Domino database, collect some data for the chart, then build a Chart object. It‘s really very simple... and because the user is already authenticated with the Domino-Tomcat SSO utility, you can create some interesting applications!
<%@ page import="com.globfx.swiffchart.SwiffChart" %>
<%@ taglib uri="domtags.tld" prefix="domino" %>
<%@ taglib uri="domutil.tld" prefix="domutil" %>
<%
ServletContext context = this.getServletConfig().getServletContext();
String dominoView;
dominoView = "swiftchart";
String dominoViewCategory;
dominoViewCategory = "Cartoon";
String chartCategories = "";
String chartData = "";
%>
<html>
<body>
<!-- Collect information from the Domino database. This data will be added to our Chart. -->
<domino:session
id="mySession"
user="*webuser"
host="<%= context.getInitParameter("DominoDIIOPConnection") %>"
debug="false"
onfailure="inline"
time="true">
<!-- Open a categorized View in the Domino database. Find all documents in a specific category (key). -->
<domino:view
id="myView"
dbname="jspdemo.nsf"
viewname="<%= dominoView %>"
key="<%= dominoViewCategory %>"
keytype="string"
keyexact="true"
debug="false"
onfailure="inline"
time="true">
<domino:viewloop id="myViewLoop" start="1" count="99">
<!--
Collect information from this document. Get the Category and Quantity.
-->
<domino:viewitem id="noteCategory" col="3" format="RAW"/>
<domino:viewitem id="noteQuantity" col="4" format="RAW"/>
<%
//Category
if( chartCategories.equals("") ) {
chartCategories = noteCategory.toString();
} else {
chartCategories += ";" + noteCategory.toString();
}
//Quantity
if( chartData.equals("") ) {
chartData = noteQuantity.toString();
} else {
chartData += ";" + noteQuantity.toString();
}
%>
</domino:viewloop>
<domino:novalues>No Documents Found.</domino:novalues>
</domino:view>
</domino:session>
<%
//Swiff Chart Generator, see http://www./
// Test init
String installation_dir= "C:\\Program Files\\GlobFX\\Swiff Chart Generator 3";
String web_root= "D:\\Tomcat5\\webapps\\ROOT";
// Create a new Swiff Chart object
SwiffChart chart= new SwiffChart(installation_dir);
// JSP Init
chart.SetServletInfo(request,response);
chart.SetDocumentRoot(web_root);
String sep= ";";
boolean ignoremultseparators= true;
chart.SetSeparators(sep, ignoremultseparators);
// Fill the series and categories
chart.SetCategoriesFromString(chartCategories);
chart.SetSeriesValuesFromString(0, chartData);
// Set the chart title
chart.SetTitle("Domino-Tomcat JSP Example");
// Apply a Pie style
// The chart type is stored in the style file (*.scs)
// Here the selected style is the predefined column style "Honolulu"
String style = "pie/Honolulu";
chart.LoadStyle( style );
chart.SetLooping( false );
String chart_res= chart.GetHTMLTag();
%>
<H1>Pie Chart</H1>
<br><% out.println( chart_res ); %>
</body>
</html>
Web Service Example
This example web service allows you to decode a user‘s LtpaToken cookie. It will return an XML representation of their DominoUserProfile object. This contains the user‘s name, access control groups, or any other information from their Person document in the Domino Directory.
1) Install Apache Axis.
2) Add these JAR files to WEB-INF\lib
dominosso.jar
NCSO.jar
3) Add the following JWS file.
4) Edit LtpaTokenService.jws. Change the value for "domino.:63148" to your Domino server‘s host name.
5) Write your own Web Service to communicate with LtpaTokenService. Use the service method named "decode". Provide the web user‘s LtpaToken cookie value as the parameter. This will return XML, or null if the LtpaToken cookie is invalid.
Example scenario:
A web user has already authenticated with your Domino or Tomcat web servers. They have a valid LtpaToken cookie for *..
You have another web server running, let‘s say, Microsoft IIS. It does not have native support for LtpaToken. The ISS web server can read the LtpaToken cookie value, but doesn‘t understand it. Is the token valid? Who is the user? What are their access control groups?
The ISS Web server could get the web user‘s LtpaToken cookie, and use the Web Service to decode it... the rest is up to you.
|
