Access to a trusted application is available through:
The GroupWise Object API has been extended to include a new trusted application method named SetTrustedApplicationCredentials.
Once an application supplies the trusted application name and key by calling this method, it can call the MultiLogin method to attach to any user's online mail box (trusted applications cannot automatically log in to a remote or caching mailbox.).
The vUserID and vCommandLine parameters already contain the appropriate commands and do not need to be modified. If a password is provided (using either the vPassword parameter or on the command line) it must be the correct password to access this box. If a password is not provided, the Object API attempts to log in to the user's box using the trusted application name and key. The GroupWise engine then verifies the trusted application credentials for this machine, including the trusted application name and key. If the trusted application credentials are correct, the application may access the user's database as if it were the user.
For example, if a trusted application was named “EncryptMessages” and was given a key of “1234567890,” the application should call the SetTrustedApplicationCredentials method (using C++ syntax) as follows:
gwApplication->SetTrustedApplicationCredentials
("EncryptMessages", "1234567890");
The application should then log in to user JDoe by calling MultiLogin. For example:
gwApplication->MultiLogin("JDoe", "/ipa-199.99.99.99 /ipp-1677",
NULL, egwNeverPrompt, NULL, &dispAccount);
If the application name and application key are found in the GroupWise post office database, the trusted application is allowed to connect to user JDoe's mailbox with full access to create messages, read items, etc.
The GroupWise IMAP implementation has been extended to include a new trusted application authentication mechanism, XGWTRUSTEDAPP. This mechanism is available if you see the string "AUTH=XGWTRUSTEDAPP" as part of the capability response from the GroupWise server, as follows:
C: A001 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=XGWTRUSTEDAPP S: A001 OK CAPABILITY completed
When an application becomes a trusted application, the key needs to be provided as part of the challenge/response of the IMAP authenticate. The application issues the IMAP authenticate command, waits for the challenge response "+," and replies with the XGWTRUSTEDAPP command that includes the application name and key as a concatenated string (Base64 encoded). The two null-terminated strings should be combined (with null between them) and Base64 encoded.
C: A002 AUTHENTICATE XGWTRUSTEDAPP
S: +
C: XGWTRUSTEDAPP UHJvdG9jb2xfdGVzdAA2QkQwOTRDMTA5RjEwMD
AwQjExOThEMDA1NTAwMTYwMDZCRDA5NEMyMDlG
MTAwMDBCMTE5OEQwMDU1MDAxNjAw
S: A002 OK XGWTRUSTEDAPP authentication successful
The application is now considered an authenticated trusted application and can log in to any user’s mailbox using the LOGIN command without supplying the user’s password. While in the trusted application state, the LOGOUT token can be used to end perusal of the current user’s mailbox. It can then be followed by another LOGIN without disconnecting and re-authenticating (or re-establishing the SSL connection).