I was just asked on IRC how to protect some attachments without forcing all requested attachments to go through the viewfile cgi script (as that causes your foswiki images and css to load incredibly slowly), and here’s the howto I answered with:
I coded foswiki 1.0’s viewfile script to work as an apache ErrorDocument, so If you can find a way to trigger a 404 or 401 error, you can get apache to run viewfile –
ErrorDocument 404 /foswiki/bin/viewfile ErrorDocument 401 /foswiki/bin/viewfile
If you place your pub dir somewhere outside where apache serves files and then softlink the non-protected webs into apache’s path (so it serves them full speed), then the secured webs will generate a 404, triggering the viewfile ErrorDocument – which will thus serve the file only to authenticated users
This will work irrespective of the authentication choices in your foswiki setup – and as the files that require securing are outside apache’s file serving areas, can be considered as secure as possible.
As an added bonus, any request to a file that does not exist will show a foswiki error page, rather than a static html.