A custom servlet must authenticate users that are submitting information. The sample code found in SampleServlet.java illustrates this process. However, the type of authentication performed using the <check-object-password> element does not check eDirectory rights. Changes submitted on the Publisher channel are allowed if the Driver object has rights to perform the changes, regardless of whether the user submitting the changes has rights or not.
If you are using a URL generated by a command handler on the Subscriber channel, you must use the com.novell.nds.dirxml.driver.manualtask.URLData class to validate the URL to ensure that the responder-dn data item has not been tampered with. See the Javadocs for information on accomplishing this.