In the 3 servlets there are code to reject the Anonymous user. This works fine for development and internal build servers. But we might consider installing nsfodp on some of our clients production servers and use nsfodp deployment from our cli. One security issue that pops up is that any user with credentials in Domino could potentially use these endpoints and do stuff we don't want if he constructs the correct requests.
One option could be to add a username to some config file on the server (notes.ini?). This username should then be the only user able to access to these servlets. If no username is defined the servlet just rejects the Anonymous user as it's done now.
In the 3 servlets there are code to reject the Anonymous user. This works fine for development and internal build servers. But we might consider installing nsfodp on some of our clients production servers and use nsfodp deployment from our cli. One security issue that pops up is that any user with credentials in Domino could potentially use these endpoints and do stuff we don't want if he constructs the correct requests.
One option could be to add a username to some config file on the server (notes.ini?). This username should then be the only user able to access to these servlets. If no username is defined the servlet just rejects the Anonymous user as it's done now.
Could this be a feature to implement?