***********************************************************
How to prevent use of the $DefaultNav command in R5.x
From "Building Secure Domino Web Applications," by Carl
Kriger, Lotus Development product manager for Mobile Notes
& Wireless, which originally appeared in the July/August
2000 edition of The View, http://www.eview.com.
The $DefaultNav command has been around essentially since
the beginning of the Domino server. Most developers are
painfully aware that it exists and that it effectively
allows unfriendly users to bypass their control of the
launch options. So, as a common practice, developers hide
views just to prevent them from being listed when the
$DefaultNav command is used. But, is it possible to prevent
the $DefaultNav from presenting the list of non-hidden
views at all?
Prior to R5.x, the answer to this question was (and still
is) "No." There's nothing a developer can do to prevent
users from reconstructing the URL, appending /$DefaultNav,
and presenting themselves with a list of the views that are
not hidden in the application. The reason is that Domino
does not use the $$NavigatorTemplateDefault form to display
results for $DefaultNav; therefore, you cannot use this
form to capture the $DefaultNav command and control what is
displayed. However, developers working in pre-R5.x Domino
environments can hide all views by surrounding the view
name with parentheses, effectively disabling the
$DefaultNav command.
In R5.x, however, the answer to the question is "Yes." It
is possible to prevent the $DefaultNav command from
presenting the list of non-hidden views ... but in a way
that may not be so obvious. To prevent the use of the
$DefaultNav command, R5.x developers can create a URL
redirect that captures the incoming request and directs the
user to a different URL -- perhaps one that opens a page
with the text, "Access Denied," for example. This technique
is now possible because in R5.x wildcards can be used in
URL redirects -- opening the door for developers to regain
control of their launch options by preventing the use of
the $DefaultNav?OpenNavigator URL command (or any other
Domino URL command for that matter) in a URL that a browser
user might reconstruct.
Here are the steps to create a URL redirection document in
the Domino Directory for R5.x Domino servers only:
1. Open the Domino Directory on the R5.x server.
2. Create a URL Mapping/Redirection document using the
Web... action (located in the Servers view of the Domino
Directory).
3. A URL Mapping/Redirection document has four tabs:
Basics, Site Information, Mapping, and Administration. In
the Basics tab, set the "What do you want to set up?" field
to "URL --> Redirection URL."
4. Leave the Site Information tab blank, unless you're
dealing with a specific virtual server.
5. Set the fields in the Mapping tab to be similar to:
Incoming URL path: */*.nsf/$defaltNav
Redirection URL string: http://www.lotus.com
This redirection document sends the brower user to the
Lotus site.
6. Save the document.
7. View the document in the Web Configurations view of the
Directory.
8. Restart the Domino server for the changes to take
effect.
This URL Redirection document will work on all Domino
server platforms with the exception of Sun Solaris, a
platform on which URL redirections are case sensitive. If
Domino is running on Sun Solaris, you must create a URL
Redirection document for each case variation of the URL
path.
previous page
|