Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3863

An additional security filter which handles callbacks on behalf of the existing UriSecurityFilter and ContentSecurityFilter

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Neutral
    • 4.5
    • None
    • core, security
    • None

    Description

      Rationale: we currently have 2 security filters, which among other things have duplicated configuration (the "callback", which presents the client with a login form). On top of this, with MAGNOLIA-3858, we realized there are cases where we also need to handle an AccessDeniedException which can be thrown between those two filters (i.e from a servlet; example: the RSS servlet, which wraps an AccessDeniedException when the content it needs to access to generate a feed is not authorized for the current user).

      Implementation:

      • the 2 existing filters will not execute the callbacks anymore. They will merely set a 401 or 403 http code in the response.
      • the new filter, place in front of those two, will check the response's status, as well as catch {{AccessDeniedException}}s that might have been thrown down the filter chain, and execute an appropriate callback.

      This way, any component down the filter chain can set a 401 or 403 response code, or throw an AccessDeniedException, and we'll send an appropriate response to the user.

      TBD: how does this behave if rendering has begun ? It is expected that an AccessDeniedException or other exception happening at that level would not be let up the chain.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                gjoseph Magnolia International
                gjoseph Magnolia International
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: