Using the Domino AJAX Proxy

Thursday, July 24, 2014 10:03 PM UTC

In our current project we utilize a function of the Domino server you may not be familiar with - the AJAX proxy. It is a built-in functionality of the Domino server since the later versions of 8.5. To setup the proxy you just have to take a deep dive into the policy settings, esp. the security settings documents of a - just say - domain-wide policy. In the settings document to can specify the addresses that Domino will handle to pass-by all kinds of requests towards another server even it does not resides on the same host. This will come in handy if you call RESTful services of another server than your Domino server to prevent XSS blockings of your browser.

After setting up the proxy you are able to call your desired services and URLs without a hassle.

In our case we use the proxy to call RESTful services from an Apache TomEE server, get reponses and work with them in our Notes environment again. We used the responses both in client side Javascript with Dojo XHR and in the backend with an Apache HTTP client in pure Java. Both are working great.

In all our cases we produced JSON requests and got JSON responses to handle the data. Once we went into a problem: in our application we use a self-defined session handling for the backend database which is an MS SQL Server. The parameter we sent back and forth is called "AppSessionID" which was a field in our SQL database to perform checks.

There seems to be a restriction using parameters and/or JSON fields in the requests via the Domino proxy. As we read the AppSessionID that was just posted via a REST call we noticed that the only parameter that was readable was called "App" plus other params we sent out to the REST service.

Even worse: the parameter map we tried to handle showed us stuff like "AppParameterID" - a wild combination of the AppSessionID name and another parameter called "ParameterID". Our REST service couldn't handle that properly of course.

Conclusion: the Domino proxy cuts the keyword "SessionID". And the cause is very clear: this is also the name of a cookie Domino provides to the browser after logging in using session based authentication. For some reason the proxy filters this pattern out of any request that is being sent through it. 

Good to know, so we changed our parameter to a name "AppSessID" - and Domino routes this perfectly to our TomEE server.

We didn't came across other "preserved" keywords or names, yet. But if you know others that will be by-passed by the proxy please let me know!

Latest comments to this post

ideosyncratic wrote on 27.07.2016, 15:03



I am trying to setup a proxy configuration on a dev 853 domino server, so I can connect to a dev connections server from an XPage (using java).

It's an SSO environment, and both the domino server and connections server are protected by WebSEAL. I want to make server-side calls in java (using the Apache HTTP Client), so my XPages application can make a call across to the Connections server.

I followed some information I found in Niklas Heidloff's Social Enabler documentation:


sky customer services

 Link to this comment

Leave a comment right here