Lotus Domino Administrator 8.5 Help - Protecting files on a server from Web client access

WEB SERVERS

Protecting files on a server from Web client access
File protection documents control access to non-database files that users can access via Web browsers. Like database file (.NSF) access control lists (ACLs), which specify the names of the users who can access them and the level of access they have, you can enforce file protection for files that browser users can access -- for example, HTML, JPEG, and GIF -- also by specifying the level of access for these types of files and the names of the users who can access them.

While you can also apply file protection to CGI scripts, file protection does not extend to other files accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access to a group named "Web Admins." However, if the CGI script runs and opens other files, or triggers other scripts to run, the File Protection document cannot control whether "Web Admins" has access to these additional files.

Do not create file protection documents that restrict access to the following directories, which contain default image files and Java applets that are used by the IBM® Lotus® Domino® Web server and other applications, such as mail databases:

Domino\data\domino\java, accessed via Web browser using the path
http://<server>/domjava
Domino\data\domino\icons, accessed via Web browser using the path
http://<server>/icons

File protection does apply, however, to files that access other files -- for example, HTML files that open image files. If a user has access to the HTML file but does not have access to the JPEG file that the HTML file uses, IBM® Lotus® Domino® does not display the JPEG file when the user opens the HTML file.

You can create a File Protection document for a directory or for an individual file. Protection defined for a directory is inherited by all of its subdirectories. You must set up File Protection documents for all directories accessible to Web users. Files and file directories that do not have File Protection documents can be accessed by anyone using a Web browser.

Note You do not need to use a file protection document to protect a database (.NSF) file; instead, you use a database ACL.

Examples of controlling Web browser access to server files
Specifying these settings in fields in the File Protection document allows all users in the Web User Group to open files and start programs in the c:\notes\data\domino\html directory.

Path: c:\notes\data\domino\html

Access: Web User Group (GET)

Access: - Default - (No Access)

The file "secret.htm" resides in the notes\data\domino\html subdirectory. You can deny access to this file to members of the Web User Group and allow access only to user Joe Smith. To do this, create an additional File Protection document with the following settings:

Path: c:\notes\data\domino\html\secret.html

Access: - Default - (No Access)

Access: Joe Smith (GET)

File protection for Web Site documents

You create a file protection document for a specific Web Site. This file protection document only applies to that specific Web Site.

File protection documents provide limited security. Use IBM® Lotus® Domino® security features, such as database ACLs, to protect sensitive information.

To create file protection for a Web Site document
1. From the Domino Administrator, choose Configuration - Web - Internet Sites.

2. Open the Web Site document for which you want to create file protection.

3. Click Web Site and choose "Create File Protection."

4. Click Basics and complete these fields:

Field Action

Description (Optional) Enter a name that differentiates this document from others you create.

Directory or file path Specify the directory or file path that you want to which you want to restrict access. It should be either in the fully-qualified path format, which includes the drive letter -- for example, "c:\lotus\domino\data\domino\cgi-bin," or enter the path relative to the server's data directory -- for example,"domino\cgi-bin."

Current Access Control List Displays the users and groups who can access the file or directory you specified, and the type of access they are allowed. Similar to a database ACL, the access control list is always created with a -Default- entry, set to No Access, which you can modify. As with a database ACL, those not listed in the Access List receive the default access level.

Set/Modify Access Control List To add users to the Access Control List, click Set/Modify Access Control List. Select a user name or group from the Domino Directory or type a name in the Name field. Select "Read/Execute access (GET method)," or "Write/Read/Execute access (POST and GET methods," or "No Access." Click Add to add the entry to the Access Control List.
GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group.
To remove an entry from the list, select it and click Clear.
If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access.
Note If you wish to enter a user name that resides in an LDAP Directory, you must replace the comma delimiters with slashes. Do not enter the name with commas as delimiters.
For example, an LDAP user with the following name format:
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File Protection document like this:
cn=Anthony Jones/l=westford/o=airius.com

5. Click Administration and complete the Owners and Administrators fields. By default, the administrator name you logged in with is the name that is assigned to both fields.

6. Save the document.

7. Enter this command to refresh the settings:

tell http refresh

Related topics

Controlling Web browser access to files

Creating a Web Site authentication realm document

"Building Web applications in Domino 6: Accessing and protecting the file system" on Lotus Developer Domain

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Description	(Optional) Enter a name that differentiates this document from others you create.
Directory or file path	Specify the directory or file path that you want to which you want to restrict access. It should be either in the fully-qualified path format, which includes the drive letter -- for example, "c:\lotus\domino\data\domino\cgi-bin," or enter the path relative to the server's data directory -- for example,"domino\cgi-bin."
Current Access Control List	Displays the users and groups who can access the file or directory you specified, and the type of access they are allowed. Similar to a database ACL, the access control list is always created with a -Default- entry, set to No Access, which you can modify. As with a database ACL, those not listed in the Access List receive the default access level.
Set/Modify Access Control List	To add users to the Access Control List, click Set/Modify Access Control List. Select a user name or group from the Domino Directory or type a name in the Name field. Select "Read/Execute access (GET method)," or "Write/Read/Execute access (POST and GET methods," or "No Access." Click Add to add the entry to the Access Control List. GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group. To remove an entry from the list, select it and click Clear. If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access. Note If you wish to enter a user name that resides in an LDAP Directory, you must replace the comma delimiters with slashes. Do not enter the name with commas as delimiters. For example, an LDAP user with the following name format: cn=Anthony Jones,l=westford,o=airius.com should be entered into the access list of a File Protection document like this: cn=Anthony Jones/l=westford/o=airius.com