IBM Please fix Domino authentication

Welcome to keithstric.me. The new home of my blog. Due to my inaction I ended up loosing keithstric.com. I was able to move the past 10 years worth of blog posts here, but I’m still missing the first 4 years of posts. Oh well, guess that’s what happens when you ignore a problem. But let’s get to my rant.

I’m building an application using just Polymer. It’s a RESTful application so all server communication is via AJAX requests. When dealing with AJAX requests it’s fairly easy to catch an error. Error codes are communicated via a request’s “Status Code”. A successful status code is 2xx. While an error status code is 4xx or 5xx. Most modern frameworks and servers return a status code of 401 (Not Authorized) or 403 (forbidden) when authentication is required and the user is not authenticated.

Looking to implement an authentication method into this app I’m building I’ve hit a pet peeve with Domino authentication. If you attempt to access a notes database via the web and you are not authenticated, you receive an HTML form with a status code of 200 (means successful). So, there is no way to check an error status to determine if a user is logged in.

In previous apps I would investigate every response and look for the default authentication path in an attribute of the form tag. How bogus is this, not only is it bogus, but do I really need to investigate every single response from the server to determine if a user is logged in? While this was the norm 10 years ago, now the status should be a 401 (not authorized) when a user isn’t authenticated and authentication is required.

I guess the alternative would be to look for the DomAuthSessId cookie, but again I have to do something on every request. Does IBM hate developers who work with Domino? After going through this and always ending up with a hack for authentication what other  conclusion could I come to?

So, IBM…. Please fix domino authentication to return a 401 or 403 status code when authentication is required.

Share This: