PRIVATE ICR FOR CISS TO ACCESS KAAJEE    ICR (5255)

1. Logins are only to be performed by the CISS framework code.  This
IA and supporting IAs are granted to CISS only, not to the application
portlets/plug-ins running in CISS.

2. To run user checks and establish user identity for a specific M/VistA
system, CISS should do the following:

a. Instantiate a KaajeeVistaLinkConnectionSpec instance, using
user-entered access/verify code and division, and also obtaining the
end-user's IP address, e.g., request.getRemoteAddr().

b. Obtain a VistALink connection to the desired M/VistA system from the
appropriate VistaLink connection factory object, using the
KaajeeVistaLinkConnectionSpec instance.

c. Using the connection, run the RPC "XUS KAAJEE GET USER INFO" in the
RPC context "XUS SIGNON" to, if successful, get a DUZ back.
This also creates the sign-on log entry on the M/VistA system; the DA
of that entry is also returned. If an exception is thrown, the user
is not authorized to run RPCs on the target VistA system. The exception
will contain the reason for denial.

d. If the end-user is authorized to run RPCs by the preceding step,
use the same connection and immediately run the RPC "XUS KAAJEE LOGOUT"
under the RPC context "XUS SIGNON", passing the DA of the sign-on log
entry created.  Running the RPC marks the sign-on log entry as closed.

e. Close the connection.

f. To run application RPCs for the end user, obtain a new connection
from the same VistALink connection factory, but using
VistaLinkDuzConnectionSpec (or, when supported,
VistaLinkVpidConnectionSpec.)

3. For the duration of the user session, the DUZ may be used with
DuzConnectionSpec to run RPCs.

4. Whether or not CISS caches a user's DUZ, for any new CISS user
sessions requiring access to a VistA system, all steps 2a-2f should be
performed again, as the user's authorization to log onto the VistA system
may have been revoked or otherwise may have changed since the previous
session.