Security for Image Resources handled differently in XPages - why?

HCL Domino Domino Forum
1

I’m currently rebuild an old application of ours to use XPages instead of standard Domino web design. Anonymous users are granted DEPOSITOR access so that they can fill out a survey-type form.In the old version of the app the main form shows a company logo that is stored as an image resource in the db itself. If now I duplicate this using XPages the logo is not shown to any DEPOSITOR access user. Only if I grant Anonymous READER access or higher the images are displayed; in my case I’d need to give them AUTHOR access, which is not an option!

After some testing I found out that I have to enable the “Available to Public Access users” property for each image resource in my db that needs to be shown to my anonymous users.

This was never necessary from at least R4.6 until ND 8.5 using standard forms-based web design.

So I truly wonder whether this extra “security” measure was introduced on purpose, and if so, why it was introduced for XPages only.

Regards,

-Lothar

2

Subject: This isn’t XPages specific

Hi Lothar,

XPages or not, if the ACL for “Anonymous” is set to “Depositor”, then image resources

won’t show up unless they are marked as “Available for public access”.

I bet that if you go back to your old app, you’ll see that those image resources are marked as such.

I just tested this again with a simple (classic) page and image resource with the ACL above.

Thomas - IBM

3

Subject: hmm - you’re right (of course)

my images don’t have that setting, and they’re invisible (now). Strange, thought I had seen them yesterday…

Thanks for checking, and all the best

-Lothar

4

Subject: Security Image Generator for Domino web forms (XPages not required)

Well, if you are looking for a Domino web solution which does not require XPages, then read the tip below…

Security Image Generator for Domino web forms

This article instructs Domino Developers how to add a security image generator to a Domino web form. Domino web applications running on the public internet are susceptible to spam data submission especially if the web form validation relies soley on JavaScript and the web site is not SSL enabled.

http://www.notesmail.com/home.nsf/tip20100506

[

]

[

Crucial tools for IBM Lotus Notes and Domino administration and development…

]

[Find the “crucial tools you need to succeed” including product descriptions, downloads, demos and testimonials.]

Speed up IBM Lotus Notes and Domino administration and development with these crucial software tools.

[Better, stronger, faster productivity for administrators and developers.]

[Download and try the lite (free) version]