ShowTable of Contents
Control access to the application
Use the application's ACL (file -> application -> access control list) to control which user can do what.
Any user who has not logged in is "Anonymous".
Any user who has logged in, but does not have a special entry (name or group) in the ACL is "-Default-".
To create documents, a user needs at least "author" access with the checkbox "create documents". With this access, the user can create a document, but cannot edit it unless the document contains a field of type "author" with the name of the user in it.
A user with level "editor" can edit every document he can see.
Control who can use a specific XPage
As an addition to the application's ACL every XPage has an ACL, too. You find it in the XPage properties -> all properties -> data -> acl.
There you can create ACL entries with a name, access level and user type.
User name is:
- Anonymous for not authenticated users
- -Default- for authenticated users whitout a entry of their own
- A user name
- A group name
- A role
Write a role as [role].
Read more at the XPages Blog
In a XPages application you might want to ensure that only your XPages elements are being used to access data.
Here are some tips to disable elements of classic Domino web development.
No Notes form is needed in the web, since the XPages are providing the UI.
Enable the "hide design element from: web browsers" property for all forms.
Or, if you some forms has to be visible to web browsers, make sure that they display only the information you want them to display. Do not rely on that users only work with our XPages, since a simple ?EditDocument command uses the plain form again.
Prevent web user from accessing views directly
Create a $$ViewTemplateDefault form which is blank or just contains a message like "Nothing to see here".
Set form formula in the 0 view
Create a view named "0". Set form formula to a form which is just blank.
Set the "hide design elements from: web browsers" properties on all views not needed in the web.
Block a XPage from users not having a role
X-Page -> All Properties -> rendered
var v:Array = database.queryAccessRoles(session.getEffectiveUserName());
As an alternative you could redirect to another page in BeforePageRendered event of the XPage using context.redirect() when the user does not have the role.
Check your agents
- Check which agents are available from the web.
- Check with which ID your agents are running if they are executed from the web. A standard agent runs with the ID with which it is signed. Check for the property "run as web user", this makes the agent run with the rights of the current web user.
Check what your application does on certain URL commands
There are many URL commands in Domino. Check if your application does what it should on these commands:
You can create some redirection rules for your Global Web Settings (found in internet sites in your Domino Directory) so that these potential dangerous URLs are redirected to some error page.
Here is an example:
The 10 Commandments for public facing web applications
Stephan Wissel posted a good list of security tipps for a public web application: 10 Commandments for public facing web applications