CONFIGURING


Protecting files on a server from Web client access

File protection documents control access to non-database files that users can access via Web browsers. Like database file (.NSF) access control lists (ACLs), which specify the names of the users who can access them and the level of access they have, you can enforce file protection for files that browser users can access -- for example, HTML, JPEG, and GIF -- also by specifying the level of access for these types of files and the names of the users who can access them.

About this task

A File Protection document is created in the Domino® Directory during initial server startup. This document provides administrators with Write, Read, and Execute access to the Domino Directory. Other users are assigned No Access. The File Protection document is a security feature that protects the files on a server's hard drive by controlling the Web clients' access to files. You can enforce file system security for files that browser users can access, including levels of access and the names of users who may access the files.

Note: While you can also apply file protection to CGI scripts, file protection does not extend to other files accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access to a group named "Web Admins." However, if the CGI script runs and opens other files, or triggers other scripts to run, the File Protection document cannot control whether "Web Admins" has access to these additional files.

File protection does apply, however, to files that access other files -- for example, HTML files that open image files. If a user has access to the HTML file but does not have access to the JPEG file that the HTML file uses, Domino does not display the JPEG file when the user opens the HTML file.

Do not create file protection documents that restrict access to the following directories, which contain default image files and Java™ applets that are used by the Domino Web server and other applications, such as mail databases:


You can create a File Protection document for a directory or for an individual file. Protection defined for a directory is inherited by all of its subdirectories. You must set up File Protection documents for all directories accessible to Web users. Files and file directories that do not have File Protection documents can be accessed by anyone using a Web browser.

Note: You do not need to use a file protection document to protect a database (.NSF) file; instead, you use a database ACL.

To create file protection for a Web Site document

About this task

You create a file protection document for a specific Web Site. This file protection document applies only to that specific Web Site.

File protection documents provide limited security. Use Domino security features, such as database ACLs, to protect sensitive information.

Procedure

1. From the Domino Administrator, choose Configuration -> Web -> Internet Sites.

2. Open the Web Site document for which you want to create file protection.

3. Click Web Site and choose Create File Protection.

4. Click Basics and complete these fields:


5. Click Administration and complete the Owners and Administrators fields. By default, the administrator name you logged in with is the name that is assigned to both fields.

6. Save the document.

7. Enter this command to refresh the settings:


Example

Specifying these settings in fields in the File Protection document allows all users in the Web User Group to open files and start programs in the c:\notes\data\domino\html directory.

Path: c:\notes\data\domino\html

Access: Web User Group (GET)

Access: - Default - (No Access)

The file "secret.htm" resides in the notes\data\domino\html subdirectory. You can deny access to this file to members of the Web User Group and allow access only to user Joe Smith. To do this, create an additional File Protection document with the following settings:

Path: c:\notes\data\domino\html\secret.html

Access: - Default - (No Access)

Access: Joe Smith (GET)

Related concepts
Controlling Web browser access to files

Related tasks
Creating a Web Site authentication realm document