Monday, 22 June 2015

Notes Domino 9.0.1 Fix Pack 4 - XPages DatabaseName URL Parameter


In IBM Notes/Domino 9.0.1 FixPack 4 and in releases containing the fix for SPR#MKEE9TKDEM, you may see an error page with the following error message:

CLFAD0382E: The databaseName URL parameter value is not one of the allowed database names. The parameter is &databaseName=otherserver!!app.nsf. The allowed names are configured in the option xsp.data.domino.param.databaseName.whitelist.

There has been a change in the XPages default behavior, that now requires that the allowable databaseNames be configured in a whitelist. The white list is an option that lists allowed databaseNames. Where the whitelist has not been configured, the error above will occur for remote applications (i.e., applications that are not on the current server). There is an option to revert to the previous behavior but there are security implications associated with that decision.
The reason for this change is because of security concerns around malicious users causing the server to run slowly in a Denial Of Service attack. A malicious browser user can use a URL to point the XPages application to read and write the data from any application on the internet or network. The read will be successful if the user currently logged in has access to the application, or especially if the application allows anonymous access.

Only applications that use the databaseName URL parameter will be effected by these changes, but the parameter is used by default, unless explicitly set to ignore. In XPages, the Domino Document (xp:dominoDocument) and Domino View (xp:dominoView) data sources read certain parameters from the URL and apply those parameters to the data source. For example, the Domino Document data source will read a URL parameter named "documentId" and then use that as the document that should be displayed. Both of the data sources support reading the parameter "databaseName". When this is absent, the document or view entries are read from the current application or from the application configured in the XPage source. When the "databaseName" URL parameter is present, the documents are instead read from the application specified in the parameter. The data sources can be configured in the XPage source with the property ignoreRequestParams="true", which means that the parameters are not read from the URL, but that is not the default behavior.

For more information see the Technote (troubleshooting): XPages DatabaseName URL Parameter Whitelist

1 comment:

  1. Good to hear that the IBM has fixed this ugly problem.

    ReplyDelete