Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCU-244

Site-aware ACLs

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Unresolved
    • Neutral
    • None
    • None
    • content
    • None

    Description

      MAGNOLIA-3915 introduced a new ACL parameter <site> that can be added at the beginning of a path or URL. The parameter applies the ACL rule when the current site definition matches its value.

      The purpose is to prevent a multisite scenario where content from one site can be accessed through all its sibling sites. Such a scenario hurts SEO efforts since crawlers interpret the sibling content as duplicate: it is the same content but visible through different URLs.

      For example, the demo-project site definition (screenshot) says that when the site is accessed via domain www.demo-project.com, content should be served from /demo-project, as defined in the handlePrefix property. However, it is also possible to access sibling site /demo-features content at the same domain using a URL such as www.demo-project.com/demo-features.html. The domain says content should be served from /demo-project but in fact it can come from /demo-features. This is the issue.

      To test locally:

      1. In your hosts file, map www.demo-project.com to 127.0.0.1.
        127.0.0.1       www.demo-features.com
        
      2. Flush the DNS cache.
      3. Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You can see content from the sibling site /demo-features, which is not good.

      To deny cross-site content access using the new <site> parameter:

      1. Log into AdminCentral on the public instance and edit the anonymous role.
      2. Add an ACL in the URL space. Deny access to <demo-project>/demo-features*. Angle brackets should be included. The first part in the brackets means "apply this ACL when the site definition demo-project is applied". The second part means "deny access to content at /demo-features and below".
      3. Save the role.
      4. Log out.
      5. Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You should be denied access and presented a login screen instead.
      6. Request content at http://www.demo-features.com:8080/magnoliaPublic/demo-features.html. Now content should be served since you are requesting it via a domain that is mapped to a different site definition demo-features.

      Document the new parameter, its usage, purpose and the scenario in /administration/security/accesscontrollists.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              ahietala Antti Hietala
              ahietala Antti Hietala
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated: