File System
The security.fileSystem node sets where applications can open and save files. It is built on a trust level that defines the overall posture, refined by allow/block path lists and by virtual shares surfaced in the file-transfer panel.
security.fileSystemTrust levels
The trustLevel enum uses camelCase values in the JSON. It is the one required property of this node.
| Value | File-system posture |
|---|---|
disposable | Maximum-restricted kiosk. Ephemeral working area; nothing persists beyond the session. |
noTrust | Session folder only. Most restrictive persistent mode; users work through controlled, browser-native dialogs. |
lowTrust | Limited access to a constrained set of locations (Public / User Documents), extendable with allowed paths. |
fullTrust | Unrestricted file-system access; appropriate only for trusted users and applications. |
For the security rationale behind each level, see Trust Levels.
Properties
| Property | Type | Default | Notes |
|---|---|---|---|
trustLevel * | enum | — | noTrust, lowTrust, fullTrust, disposable. Required. |
allowedPaths | string[] | [] | Additional permitted paths. Applies to lowTrust / fullTrust only; the editor greys this out for noTrust / disposable. |
blockedPaths | string[] | [] | Explicitly blocked paths (blacklist), added on top of the global baseline. |
virtualShares | object[] | [] | Named server locations shown in the file-transfer panel (see below). |
Virtual shares
Each entry in virtualShares publishes a server-side location into the file-transfer panel.
| Property | Type | Default | Notes |
|---|---|---|---|
name * | string | — | Display name in the panel. |
path * | string | — | Server file-system path. |
access * | enum | — | ReadOnly or ReadWrite. |
filters | string | "*.*" | Pipe-separated extension filters, e.g. *.txt|*.log. |
enabled | boolean | true | Whether the share is active. |
groups | string[] | — | IAM group IDs allowed to see this share. Omit or leave empty for everyone. |
Sample
"fileSystem": {
"trustLevel": "lowTrust",
"allowedPaths": ["C:\\Workspaces\\Shared"],
"blockedPaths": [],
"virtualShares": [
{
"name": "Public Documents",
"path": "C:\\Users\\Public\\Documents",
"access": "ReadWrite",
"filters": "*.*",
"enabled": true,
"groups": []
}
]
}
How open and save behave
When an application opens a file dialog, WebStream redirects it to a browser-native experience governed by the policy. The trust level and any path rules determine which locations are visible and whether saving is permitted. From the user's point of view, opening and saving feel native — see Opening & Saving Files.
The trust level overrides the global <trust><level> default when present; with no policy, the global level applies. blockedPaths is unioned with the global <filesystemRestrictions><defaultBlockedPaths> baseline (policy can add, not remove), and <protectedPaths> are never unblocked even if a policy lists them. The master switch <filesystemRestrictions><enabled> is a gate: if disabled, no NTFS ACL enforcement happens at all. When a policy supplies virtualShares, that list replaces any shares defined in app.config.xml.
Start restrictive and open up only where a workflow requires it. Granting fullTrust broadly removes most of the file-handling controls that make browser delivery safer than raw RDP.