WEB SERVERS
While you can also apply file protection to CGI scripts, file protection does not extend to other files accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access to a group named "Web Admins." However, if the CGI script runs and opens other files, or triggers other scripts to run, the File Protection document cannot control whether "Web Admins" has access to these additional files.
Do not create file protection documents that restrict access to the following directories, which contain default image files and Java applets that are used by the Domino Web server and other applications, such as mail databases:
You can create a File Protection document for a directory or for an individual file. Protection defined for a directory is inherited by all of its subdirectories. You must set up File Protection documents for all directories accessible to Web users. Files and file directories that do not have File Protection documents can be accessed by anyone using a Web browser.
Note You do not need to use a file protection document to protect a database (.NSF) file; instead, you use a database ACL.
Examples of controlling Web browser access to server files Specifying these settings in fields in the File Protection document allows all users in the Web User Group to open files and start programs in the c:\notes\data\domino\html directory.
Access: Web User Group (GET)
Access: - Default - (No Access)
Access: Joe Smith (GET)
You create a file protection document for a specific Web Site. This file protection document only applies to that specific Web Site.
File protection documents provide limited security. Use Domino security features, such as database ACLs, to protect sensitive information.
To create file protection for a Web Site document 1. From the Domino Administrator, choose Configuration - Web - Internet Sites.
2. Open the Web Site document for which you want to create file protection.
3. Click Web Site and choose "Create File Protection."
4. Click Basics and complete these fields:
GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group.
To remove an entry from the list, select it and click Clear.
If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access.
Note If you wish to enter a user name that resides in an LDAP Directory, you must replace the comma delimiters with slashes. Do not enter the name with commas as delimiters.
For example, an LDAP user with the following name format:
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File Protection document like this:
cn=Anthony Jones/l=westford/o=airius.com
6. Save the document.
7. Enter this command to refresh the settings: