About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

App security and identity

Secure your Domino app with access control and permissions.

Access controls and permissions

Manage access with the Permission tab:

  • Anyone, including anonymous users - In this mode, anyone with the URL can access your app, even if they don’t have a Domino account.

  • Anyone with an account - Anyone logged in to Domino with an account can access the app.

  • Invited users only - Only users you explicitly invite can access the app.

  • Invited users (others can request access) - Only users you explicitly invite can access the app, but users can request access (that you can approve).

Access the identities of app users

You might want to create apps that need to know who uses them. For example, this is useful if you want to load specific default values or preferences, or if you want to access different data based on who views your app.

To enable this, Domino passes the username of a user who accesses your Domino app in an HTTP header named domino-username.

If your app framework gives you access to the HTTP headers of the active request, retrieve the domino-username for use by your app code. If you allow users who are not logged in to Domino to view your apps, the value of the domino-username header is Anonymous.

Note
 This identity header is only available when you use app frameworks that support proxied HTTP headers. This header is supported by Flask and Dash by default, but Shiny requires that you use Server Pro

Access username example

Create the files for this Flask example that gets the Domino username of an app viewer in your project:

#!/usr/bin/env bash
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
export FLASK_APP=app.py
export FLASK_DEBUG=1
python -m flask run --host=0.0.0.0 --port=8888

Here is a simple app.py file that renders a template named index.html. This app imports request from flask, which gives you access to the headers of the active HTTP request.

import flask
from flask import request, redirect, url_for

class ReverseProxied(object):
  def __init__(self, app):
      self.app = app
  def __call__(self, environ, start_response):
      script_name = environ.get('HTTP_X_SCRIPT_NAME', '')
      if script_name:
          environ['SCRIPT_NAME'] = script_name
          path_info = environ['PATH_INFO']
          if path_info.startswith(script_name):
              environ['PATH_INFO'] = path_info[len(script_name):]
      return self.app(environ, start_response)

app = flask.Flask(__name__)
app.wsgi_app = ReverseProxied(app.wsgi_app)

# Homepage which uses a template file
@app.route('/')
def index_page():
  return flask.render_template("index.html")

There is a template file at templates/index.html that fetches the domino-username header from the requests object and renders it.

<!DOCTYPE html>
<html>
  <body>
    <h1>Your username is {{ request.headers.get("domino-username") }}</h1>
  </body>
</html>

If you host this app in Domino and open it, you’ll see something like this where the username shown matches the username of the app user.

The username matches the app user

iFrame security

If your Domino deployment exercises iFrame security or requires a content security policy for web apps and your app behaves in unexpected ways, see Whitelist resources.