At 6:54 AM -0700 6/10/02, Bill Moseley wrote:
>I'd expect that you would want to make all the files readable to the web
>server (which shouldn't have any special power) and the use SSL and some
>type of authentication to provide access to the files.
The problem with that is knowing the existence of files makes the
system insecure. Think about words like "severance", "merger",
"liability". It would be so easy to figure out what else is in those
documents, sort of reverse-engineering, by doing searches on those
words with other pertinent topics.
The high-end commercial search engines are starting to tie directly
into the ACLs and permissions for corporate security and
authorization. They are even checking the status at retrieval time
so as to avoid showing anything that the searcher is not allowed to
see. This is expensive and slow.
Another solution would be to index the public stuff in one index file
and the private stuff in another, don't give anyone access to the
private search without authorization.
Complete Guide to Search Engines for Web Sites and Intranets
Received on Mon Jun 10 17:02:05 2002