At 6:54 AM -0700 6/10/02, Bill Moseley wrote:
>I'd expect that you would want to make all the files readable to the web
>server (which shouldn't have any special power) and the use SSL and some
>type of authentication to provide access to the files.

The problem with that is knowing the existence of files makes the 
system insecure.  Think about words like "severance", "merger", 
"liability".  It would be so easy to figure out what else is in those 
documents, sort of reverse-engineering, by doing searches on those 
words with other pertinent topics.

The high-end commercial search engines are starting to tie directly 
into the ACLs and permissions  for corporate security and 
authorization.  They are even checking the status at retrieval time 
so as to avoid showing anything that the searcher is not allowed to 
see.  This is expensive and slow.

Another solution would be to index the public stuff in one index file 
and the private stuff in another, don't give anyone access to the 
private search without authorization.

Avi

-- 
Complete Guide to Search Engines for Web Sites and Intranets
    <http://www.searchtools.com>