Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-4395

Security filters should set 401 or 403 more appropriately

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Neutral
    • 4.5.3
    • 4.5.2
    • core
    • None

    Description

      Currently, both URISecurityFilter and ContentSecurityFilter inadequately set a 403 http status when a user doesn't have access to a given resource. The problem lies in the fact that it doesn't distinguish between anonymous and logged-in access. An anonymous request should most likely end up with a 401 code ("needs authentication"), whereas when the user is already logged in, a more correct return code would be 403 ("not authorized"). While this might lead to some security concerns (one can discover the existence of protected content), it also leads to basic authorization simply not working with some client. Browsers, for example, will only display the auth dialog when receiving a 401, not a 403 - or so it seems, anyway.
      If there really are security concerns about this change, it could also be made optional (on/off).

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                dlipp Daniel Lipp
                gjoseph Magnolia International
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD