XPages security

Security is provided for XPages applications.

An XPages application running in the HCL Notes® client can include a number of design elements that contain code (usually referred to as active content) that can be executed on the user's workstation, for example, accessing a database or JavaScript with embedded Java code. To prevent active content from executing protected operations, such as reading from and writing to workstation files, reading and writing system properties, and network operations, XPages uses the Execution Control List (ECL) to manage the access and abilities the user has granted the signer of the code that is trying to perform the protected operation.

The ECL determines whether the signer of the code is allowed to run code on a given workstation and defines the access that code has to various workstation functions, such as access to the current database or other databases. Examples of active content within an XPages application include Java code embedded in JavaScript (server-side), server-side script libraries, and Java classes and JARs imported into the database.

All the design elements in an XPages application have the signature of their creator. Note that if there is more than one signer of an XPages application, all signers must be trusted by the user before the protected operation will execute.

ECL security access options for XPages applications are set in the Using Workstation tab under What Others Do of the User Security dialog (File > Security > User Security).

Security with active content filtering

The Active Content Filtering (ACF) security feature also guards against malicious code being entered into an XPage input control during execution.

Active content filtering is used to remove possibly malicious active content( scripts, tags ) in an input/output text control. An ACF engine acts as a library to perform the filtering during run time. If you put focus on certain XPage controls (edit box, multiline edit box, rich text, hidden input), you see two properties htmlFilter and htmlFilterIn on the All Properties tab under basics.

The htmlFilter property defines the ACF engine to use when the control sends data to the client, and the htmlFilterIn property defines the engine to use when the control receives text from the client. You can change these two properties to enable or disable ACF for a text field.

There are four ACF engines available for XPages:
  • acf
  • striptags
  • identity
  • empty

The acf engine parses the HTML text and filters out the unsafe constructs, based on a configuration file (acf-config.xml). The striptags engine removes all the tags using a regular expression 'replaceAll("\\<.*?>","")'. The identity filter returns the original string. The empty engine removes everything and returns an empty string.

The acf engine can be configured via a configuration file. For the client side, this file is typically located in the ...\Notes\Data\properties folder. An example, acf-config.xml.sample, is located in this folder.

To configure ACF, you must first find the xsp.properties file in the same folder and add the following line: xsp.htmlfilter.acf.config=acf-config.xml. This indicates that acf-config.xml will be used to configure the acf engine (otherwise, default rules are used). The following is an example of the acf-config.xml file contents:
<?xml version="1.0"?>
<config>
       <filter-chain>
          <filter name='base' class='com.ibm.trl.acf.impl.html.basefilter.BaseFilter'
                  verbose-output='false' use-annotation='false' />
       </filter-chain>

			<filter-rule id='base'>
           <target scope=''>
             <!-- C14N rules -->
             <rule c14n='true' all='true' />

              <!-- Base rules -->
             <rule attribute='on' attribute-criterion='starts-with'
                 action='remove-attribute-value' />
             <rule attribute='${' attribute-criterion='starts-with'
                 action='remove-attribute-value' />
             <rule attribute='href' value='javascript:' value-criterion='contains'
                  action='remove-attribute-value' />
             <rule attribute='style' action='remove-attribute-value' />

              <rule tag='script' action='remove-tag' />
              <rule tag='style' action='remove-tag' />
              <rule tag='link' attribute='rel' value='stylesheet'
                   value-criterion='contains' action='remove-tag' />
            </target>
        </filter-rule>
</config>
In the previous example:
  • <rule attribute='on' attribute-criterion='starts-with' action='remove-attribute-value' /> removes attributes that start with on.
  • <rule attribute='href' value='javascript:' value-criterion='contains' action='remove-attribute-value' /> removes all the 'href' attributes whose value contains a 'javascript:' keyword.
  • <rule tag='style' action='remove-tag' /> removes all the script tags.
  • <rule tag='link' attribute='rel' value='stylesheet' value-criterion='contains' action='remove-tag' /> removes link tags of which the rel attribute value matches stylesheet.

For more information about the Execution Control List, see the Domino® Administrator help.