I'm not sure of the detail, but there is going to be a difference in testing
the user rights against the ACL, and assigning the servlet the permissions of
the user according to the ACL. Whilst the servlet is running with server
rights, there is the possibility of circumventing any security tests that you
code. I think we could assume that whatever Domino does internally to verify
user permissions would be more robust than what you could code, and hey, why
re-invent the wheel.
Although you've chosen to implement this as a servlet, you could also implement
it as an agent, for which you could set the "Run agent as web user" property,
and Domino will take care of the authentication for you. Given that your
example was for file downloads, an agent should cope with the traffic, unless
your talking huge numbers of concurrent users.
I'm not sure of the detail, but there is going to be a difference in testing the user rights against the ACL, and assigning the servlet the permissions of the user according to the ACL. Whilst the servlet is running with server rights, there is the possibility of circumventing any security tests that you code. I think we could assume that whatever Domino does internally to verify user permissions would be more robust than what you could code, and hey, why re-invent the wheel.
Although you've chosen to implement this as a servlet, you could also implement it as an agent, for which you could set the "Run agent as web user" property, and Domino will take care of the authentication for you. Given that your example was for file downloads, an agent should cope with the traffic, unless your talking huge numbers of concurrent users.