Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-2968

security: login form fails to render if content security filter denies access

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 4.2.2
    • 4.2.1
    • None
    • None

    Description

      The login form is only shown if the access to a page is denied by the URL security, while this doesn't work if the content security filter is used.

      GZipFilter does not send the response to the client if the HTTP error code is different from 200 (info.magnolia.module.cache.filter.GZipFilter:90) (seems to be related to http://jira.magnolia-cms.com/browse/MAGNOLIA-2178).
      The problem is when you add a "deny access" permission on a content, the "ContentSecurityFilter clientCallback" login form can not be returned to the client, we only have a Tomcat 401 error page.

      This is working well with URISecurityFilter because it is executed before the GZipFilter in the filter chain, so we can workaround the problem by adding a deny access to the content HTTP URI (but it is just a workaround).

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                had Jan Haderka
                pbaerfuss Philipp Bärfuss
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD