Protecting files on a server from Web client access

File protection documents control access to non-database files that users can access via Web browsers. Like database file (.NSF) access control lists (ACLs), which specify the names of the users who can access them and the level of access they have, you can enforce file protection for files that browser users can access -- for example, HTML, JPEG, and GIF -- also by specifying the level of access for these types of files and the names of the users who can access them.

About this task

A File Protection document is created in the Domino® Directory during initial server startup. This document provides administrators with Write, Read, and Execute access to the Domino Directory. Other users are assigned No Access. The File Protection document is a security feature that protects the files on a server's hard drive by controlling the Web clients' access to files. You can enforce file system security for files that browser users can access, including levels of access and the names of users who may access the files.

Note: While you can also apply file protection to CGI scripts, file protection does not extend to other files accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access to a group named "Web Admins." However, if the CGI script runs and opens other files, or triggers other scripts to run, the File Protection document cannot control whether "Web Admins" has access to these additional files.

File protection does apply, however, to files that access other files -- for example, HTML files that open image files. If a user has access to the HTML file but does not have access to the JPEG file that the HTML file uses, Domino does not display the JPEG file when the user opens the HTML file.

Do not create file protection documents that restrict access to the following directories, which contain default image files and Java™ applets that are used by the Domino Web server and other applications, such as mail databases:

  • Domino\data\domino\java, accessed via Web browser using the path

    http://server/domjava

  • Domino\data\domino\icons, accessed via Web browser using the path

    http://server/icons

You can create a File Protection document for a directory or for an individual file. Protection defined for a directory is inherited by all of its subdirectories. You must set up File Protection documents for all directories accessible to Web users. Files and file directories that do not have File Protection documents can be accessed by anyone using a Web browser.

Note: You do not need to use a file protection document to protect a database (.NSF) file; instead, you use a database ACL.

To create file protection for a Web Site document

About this task

You create a file protection document for a specific Web Site. This file protection document applies only to that specific Web Site.

File protection documents provide limited security. Use Domino security features, such as database ACLs, to protect sensitive information.

Procedure

  1. From the Domino Administrator, choose Configuration > Web > Internet Sites.
  2. Open the Web Site document for which you want to create file protection.
  3. Click Web Site and choose Create File Protection.
  4. Click Basics and complete these fields:
    Table 1. Basics tab fields

    Field

    Action

    Description

    Enter a name that differentiates this document from others you create.

    Directory or file path

    Specify the directory or file path that you want to which you want to restrict access. It should be either in the fully-qualified path format, which includes the drive letter -- for example, c:\domino\data\domino\cgi-bin, or enter the path relative to the server's data directory -- for example, domino\cgi-bin.

    Current® Access Control List

    Displays the users and groups who can access the file or directory you specified, and the type of access they are allowed. Similar to a database ACL, the access control list is always created with a -Default- entry, set to No Access, which you can modify. As with a database ACL, those not listed in the Access List receive the default access level.

    Set/Modify Access Control List
    To add users to the Access Control List, click Set/Modify Access Control List. Select a user name or group from the Domino Directory or type a name in the Name field. Select one of the following:
    • Read/Execute access (GET method)
    • Write/Read/Execute access (POST and GET methods
    • No Access
    Click Add to add the entry to the Access Control List.

    GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group.

    To remove an entry from the list, select it and click Clear.

    If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access.

    Note: If you wish to enter a user name that resides in an LDAP Directory, you must replace the comma delimiters with slashes. Do not enter the name with commas as delimiters.

    For example, an LDAP user with the following name format: 

    cn=Anthony Jones,l=westford,o=renovations.com

    should be entered into the access list of a File Protection document like this:

    cn=Anthony Jones/l=westford/o=renovations.com
  5. Click Administration and complete the Owners and Administrators fields. By default, the administrator name you logged in with is the name that is assigned to both fields.
  6. Save the document.
  7. Enter this command to refresh the settings:

    tell http refresh

Example

Specifying these settings in fields in the File Protection document allows all users in the Web User Group to open files and start programs in the c:\notes\data\domino\html directory.

Path: c:\notes\data\domino\html

Access: Web User Group (GET)

Access: - Default - (No Access)

The file "secret.htm" resides in the notes\data\domino\html subdirectory. You can deny access to this file to members of the Web User Group and allow access only to user Joe Smith. To do this, create an additional File Protection document with the following settings:

Path: c:\notes\data\domino\html\secret.html

Access: - Default - (No Access)

Access: Joe Smith (GET)