CONFIGURING
About this task
A File Protection document is created in the Domino® Directory during initial server startup. This document provides administrators with Write, Read, and Execute access to the Domino Directory. Other users are assigned No Access. The File Protection document is a security feature that protects the files on a server's hard drive by controlling the Web clients' access to files. You can enforce file system security for files that browser users can access, including levels of access and the names of users who may access the files.
Note: While you can also apply file protection to CGI scripts, file protection does not extend to other files accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access to a group named "Web Admins." However, if the CGI script runs and opens other files, or triggers other scripts to run, the File Protection document cannot control whether "Web Admins" has access to these additional files.
File protection does apply, however, to files that access other files -- for example, HTML files that open image files. If a user has access to the HTML file but does not have access to the JPEG file that the HTML file uses, Domino does not display the JPEG file when the user opens the HTML file.
Do not create file protection documents that restrict access to the following directories, which contain default image files and Java™ applets that are used by the Domino Web server and other applications, such as mail databases:
http://server/domjava
http://server/icons
Note: You do not need to use a file protection document to protect a database (.NSF) file; instead, you use a database ACL.
To create file protection for a Web Site document
You create a file protection document for a specific Web Site. This file protection document applies only to that specific Web Site.
File protection documents provide limited security. Use Domino security features, such as database ACLs, to protect sensitive information.
Procedure
1. From the Domino Administrator, choose Configuration -> Web -> Internet Sites.
2. Open the Web Site document for which you want to create file protection.
3. Click Web Site and choose Create File Protection.
4. Click Basics and complete these fields:
GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group.
To remove an entry from the list, select it and click Clear.
If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access.
Note: If you wish to enter a user name that resides in an LDAP Directory, you must replace the comma delimiters with slashes. Do not enter the name with commas as delimiters.
For example, an LDAP user with the following name format:
6. Save the document.
7. Enter this command to refresh the settings:
Specifying these settings in fields in the File Protection document allows all users in the Web User Group to open files and start programs in the c:\notes\data\domino\html directory.
Path: c:\notes\data\domino\html
Access: Web User Group (GET)
Access: - Default - (No Access)
The file "secret.htm" resides in the notes\data\domino\html subdirectory. You can deny access to this file to members of the Web User Group and allow access only to user Joe Smith. To do this, create an additional File Protection document with the following settings:
Path: c:\notes\data\domino\html\secret.html
Access: Joe Smith (GET)
Related concepts Controlling Web browser access to files
Related tasks Creating a Web Site authentication realm document
Related information IBM developerWorks Technical Library