In our current project we utilize a function of the Domino server you may not be familiar with - the AJAX proxy. It is a built-in functionality of the Domino server since the later versions of 8.5. To setup the proxy you just have to take a deep dive into the policy settings, esp. the security settings documents of a - just say - domain-wide policy. In the settings document to can specify the addresses that Domino will handle to pass-by all kinds of requests towards another server even it does not resides on the same host. This will come in handy if you call RESTful services of another server than your Domino server to prevent XSS blockings of your browser.
After setting up the proxy you are able to call your desired services and URLs without a hassle.
In all our cases we produced JSON requests and got JSON responses to handle the data. Once we went into a problem: in our application we use a self-defined session handling for the backend database which is an MS SQL Server. The parameter we sent back and forth is called "AppSessionID" which was a field in our SQL database to perform checks.
There seems to be a restriction using parameters and/or JSON fields in the requests via the Domino proxy. As we read the AppSessionID that was just posted via a REST call we noticed that the only parameter that was readable was called "App" plus other params we sent out to the REST service.
Even worse: the parameter map we tried to handle showed us stuff like "AppParameterID" - a wild combination of the AppSessionID name and another parameter called "ParameterID". Our REST service couldn't handle that properly of course.
Conclusion: the Domino proxy cuts the keyword "SessionID". And the cause is very clear: this is also the name of a cookie Domino provides to the browser after logging in using session based authentication. For some reason the proxy filters this pattern out of any request that is being sent through it.
Good to know, so we changed our parameter to a name "AppSessID" - and Domino routes this perfectly to our TomEE server.
We didn't came across other "preserved" keywords or names, yet. But if you know others that will be by-passed by the proxy please let me know!