Signing script libraries

Script libraries are signed with the ID of the current DDE user upon saving the script library design element, or by selecting an entry in the script libraries view and invoking the sign button.

About this task

Signing a script library determines whether it will load at runtime, and thereafter whether it can run with or without restrictions on its methods and operations.
  • Running with restrictions excludes certain features such as file or network I/O. This is the more common approach.
  • Running without restrictions allows all supported features of the XPage implementation languages to be used (see topic "Restricted LotusScript® and Java agent operations" at Domino® Designer Basic User Guide and Reference > Application Design > Adding automation to applications).

The rights to execute restricted/unrestricted methods are assigned to specific signers or groups in the Programmability Restrictions section of the server document Security tab (see topic "Controlling agents and XPages that run on a server" at Domino® Administrator Help > Security > Server access for Notes® users, Internet users, and Domino® servers > Customizing access to a Domino® server).

When an XPage is invoked, Domino® checks the server document security rights of the signer for any script library used during that invocation, and if indicated, downgrades the XPage session to execute only with restrictions. Signatures for DDE users without any server rights to sign XPage server script libraries at all will generate HTTP 403 errors back to the browser.