Details
-
Bug
-
Resolution: Duplicate
-
Neutral
-
None
-
None
-
None
-
None
Description
In servlet mapping you have several servlets with a DOT mapping:
/.magnolia/admincentral
/.rest/*
..and many more
The intention is to map any URL of this form:
- http://<domain>:<port>/.magnolia/admincentral
- http://<domain>:<port>/.rest/<service>
...
These URLs are blocked on public instance for user anonyous due to its role rules:
- DENY /.magnolia/admincentral
- DENY /.rest*
...
SiteUriSecurityFilter relies on PermissionsUtil to do a propert match between the request path and user uri permissions, but every line is converted to a regex, where "." means "any chart".
This will ends up as having undesired URI alias showing Magnolia login:
- http://<domain>:<port>/amagnolia/admincentral
- http://<domain>:<port>/bmagnolia/admincentral
- http://<domain>:<port>/<x>magnolia/admincentral
- http://<domain>:<port>/arest/<service>
- http://<domain>:<port>/brest/<service>
- http://<domain>:<port>/<x>rest/<service>
DEMO: https://demopublic.magnolia-cms.com/amagnolia/admincentral
Checklists
Acceptance criteria