| *********************************************************** How to prevent use of the $DefaultNav command in R5.x
 
 From "Building Secure Domino Web Applications," by Carl
 Kriger, Lotus Development product manager for Mobile Notes
 & Wireless, which originally appeared in the July/August
 2000 edition of The View, http://www.eview.com.
 
 The $DefaultNav command has been around essentially since
 the beginning of the Domino server. Most developers are
 painfully aware that it exists and that it effectively
 allows unfriendly users to bypass their control of the
 launch options. So, as a common practice, developers hide
 views just to prevent them from being listed when the
 $DefaultNav command is used. But, is it possible to prevent
 the $DefaultNav from presenting the list of non-hidden
 views at all?
 
 Prior to R5.x, the answer to this question was (and still
 is) "No." There's nothing a developer can do to prevent
 users from reconstructing the URL, appending /$DefaultNav,
 and presenting themselves with a list of the views that are
 not hidden in the application. The reason is that Domino
 does not use the $$NavigatorTemplateDefault form to display
 results for $DefaultNav; therefore, you cannot use this
 form to capture the $DefaultNav command and control what is
 displayed. However, developers working in pre-R5.x Domino
 environments can hide all views by surrounding the view
 name with parentheses, effectively disabling the
 $DefaultNav command.
 
 In R5.x, however, the answer to the question is "Yes." It
 is possible to prevent the $DefaultNav command from
 presenting the list of non-hidden views ... but in a way
 that may not be so obvious. To prevent the use of the
 $DefaultNav command, R5.x developers can create a URL
 redirect that captures the incoming request and directs the
 user to a different URL -- perhaps one that opens a page
 with the text, "Access Denied," for example. This technique
 is now possible because in R5.x wildcards can be used in
 URL redirects -- opening the door for developers to regain
 control of their launch options by preventing the use of
 the $DefaultNav?OpenNavigator URL command (or any other
 Domino URL command for that matter) in a URL that a browser
 user might reconstruct.
 
 Here are the steps to create a URL redirection document in
 the Domino Directory for R5.x Domino servers only:
 
 1. Open the Domino Directory on the R5.x server.
 
 2. Create a URL Mapping/Redirection document using the
 Web... action (located in the Servers view of the Domino
 Directory).
 
 3. A URL Mapping/Redirection document has four tabs:
 Basics, Site Information, Mapping, and Administration. In
 the Basics tab, set the "What do you want to set up?" field
 to "URL --> Redirection URL."
 
 4. Leave the Site Information tab blank, unless you're
 dealing with a specific virtual server.
 
 5. Set the fields in the Mapping tab to be similar to:
 
 Incoming URL path: */*.nsf/$defaltNav
 Redirection URL string: http://www.lotus.com
 
 This redirection document sends the brower user to the
 Lotus site.
 
 6. Save the document.
 
 7. View the document in the Web Configurations view of the
 Directory.
 
 8. Restart the Domino server for the changes to take
 effect.
 
 This URL Redirection document will work on all Domino
 server platforms with the exception of Sun Solaris, a
 platform on which URL redirections are case sensitive. If
 Domino is running on Sun Solaris, you must create a URL
 Redirection document for each case variation of the URL
 path.
 
 previous page
 
 
 |