There are times when you want to secure an application using the ACL, but Anonymous still needs some access to hit a home page. In those scenarios, a common approach is to enable the Read and/or Write Public Accss Documents privilege on the ACL for Anonymous. The relevant XPage needs enabling for public access as well (on the properties, before opening the XPage), as do any resources it uses – including the favicon, if you’ve added one to the application.
But there’s also one other XPage that needs enabling for public access: your custom error page. (All my applications have a custom error page, because without that there is no XPage to call in the event of an error occurring, and hence Render Response phase cannot be processed, so the error cannot be logged to e.g. Open Log.) if you fail to do this, a NoAccessSignal will get thrown with the stack trace pointing to the last unauthenticated page. This makes it difficult to track down the page that needs fixing and may in some scenarios cause a periodic crash of the server.
This situation of mixed public / private XPages will usually happen when you want anonymous users to access some introductory pages for your application, but restrict access to the rest of the application. The natural inclination is to put everything in the same NSF. But on reflection, if I have that requirement in the future, a better approach may be to have one NSF for anonymous interaction with reader access and keep the main NSF completely private.
