Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
None
-
None
Description
IPSecurityManager will send 403, if the isAllowed check fails. This means that the magnolia login form will be rendered, which is a security problem.
Either the correct code should be sent (405), or if this is on purpose, then the login form still shouldn't be rendered.
Imo:
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
should be
response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
Checklists
Acceptance criteria