Skip to main content link. Accesskey S

The useful resource for IBM Lotus Domino XPages development

Submit Search

Available in the Appstore!All the content of xpageswiki.com for iPhone or iPad for offline access.

Home > Getting ready for production > How to secure your application

How to secure your application
ShowTable of Contents

General security

Control access to the application


Use the application's ACL (file -> application -> access control list) to control which user can do what.

Any user who has not logged in is "Anonymous".
Any user who has logged in, but does not have a special entry (name or group) in the ACL is "-Default-".

To create documents, a user needs at least "author" access with the checkbox "create documents". With this access, the user can create a document, but cannot edit it unless the document contains a field of type "author" with the name of the user in it.
A user with level "editor" can edit every document he can see.

Control who can use a specific XPage


As an addition to the application's ACL every XPage has an ACL, too. You find it in the XPage properties -> all properties -> data -> acl.
There you can create ACL entries with a name, access level and user type.

User name is:
  • Anonymous for not authenticated users
  • -Default- for authenticated users whitout a entry of their own
  • A user name
  • A group name
  • A role


Write a role as [role].

Read more at the XPages Blog

Additional measures


In a XPages application you might want to ensure that only your XPages elements are being used to access data.
Here are some tips to disable elements of classic Domino web development.

Hide forms


No Notes form is needed in the web, since the XPages are providing the UI.
Enable the "hide design element from: web browsers" property for all forms.

Or, if you some forms has to be visible to web browsers, make sure that they display only the information you want them to display. Do not rely on that users only work with our XPages, since a simple ?EditDocument command uses the plain form again.

Prevent web user from accessing views directly


Create a $$ViewTemplateDefault form which is blank or just contains a message like "Nothing to see here".

Set form formula in the 0 view


Create a view named "0". Set form formula to a form which is just blank.

Hide views


Set the "hide design elements from: web browsers" properties on all views not needed in the web.

Block a XPage from users not having a role


X-Page -> All Properties -> rendered

var v:Array = database.queryAccessRoles(session.getEffectiveUserName());
@IsMember("[role]", v)


As an alternative you could redirect to another page in BeforePageRendered event of the XPage using context.redirect() when the user does not have the role.

Check your agents
  • Check which agents are available from the web.
  • Check with which ID your agents are running if they are executed from the web. A standard agent runs with the ID with which it is signed. Check for the property "run as web user", this makes the agent run with the rights of the current web user.

Check what your application does on certain URL commands


There are many URL commands in Domino. Check if your application does what it should on these commands:

db.nsf?OpenDatabase
db.nsf/0?ReadViewEntries
db.nsf/0?ReadDesign
db.nsf/0/$first?OpenDocument
db.nsf/otherwebviews?ReadViewEntries
db.nsf/otherwebviews?ReadDesign
db.nsf/otherwebviews/$first?OpenDocument
db.nsf/$defaultNav?OpenNavigator
db.nsf/$defaultform?OpenForm

You can create some redirection rules for your Global Web Settings (found in internet sites in your Domino Directory) so that these potential dangerous URLs are redirected to some error page.
Here is an example:

Add Comment
Name:
Comments:
Use  searchlotus.com  for news in the Web related to Lotus Notes and Domino,
and to search those sites.
Check  youatnotes.com  for great Lotus Notes, Domino and XPages software.
Did this information help you?
Please honor our efforts and flattr this!