API
@-Formulas
JavaScript
LotusScript
Reg Exp
Web Design
Notes Client
XPages
 
Agents: Run As Web User vs. Signer
We were working on a web application recently. The application was to be used on the client's server and had only one "foreground" agent (accessed through the ?OpenAgent URL). Since we wouldn't have access to run agents on their server, the agent was set up to run as the current web user. The agent, when this setting is enabled, runs under the authority of the currently logged-on web user (or under "Anonymous" if the user hasn't authenticated). Or so we thought...

As it turns out, the documentation is only partially right. What actually happens is that the signer's authority is checked first, and then the authenticated web user. So our agent didn't run on the customer's server until it was signed with someone's ID who had the authority to run restricted LotusScript agents on their server. (See the "Security" section of the server document to find out who has the authority to run restricted LotusScript agents on that server).

After the agent was signed, everything worked fine. Note that we did not try this with unrestricted agents (those that can access the file system and perform other secured tasks). But we assume the same process would hold - the signer's access would be checked first, and then the authenticated web user's access would be checked second.