Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-6640

PermissionUtils / SimpleUrlPattern handle "." as "any chart" while matching uri permissions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Neutral
    • None
    • None
    • None
    • None

    Description

      In servlet mapping you have several servlets with a DOT mapping:

      /.magnolia/admincentral
      /.rest/*
      ..and many more

      The intention is to map any URL of this form:

      • http://<domain>:<port>/.magnolia/admincentral
      • http://<domain>:<port>/.rest/<service>
        ...

      These URLs are blocked on public instance for user anonyous due to its role rules:

      • DENY /.magnolia/admincentral
      • DENY /.rest*
        ...

      SiteUriSecurityFilter relies on PermissionsUtil to do a propert match between the request path and user uri permissions, but every line is converted to a regex, where "." means "any chart".

      This will ends up as having undesired URI alias showing Magnolia login:

      • http://<domain>:<port>/amagnolia/admincentral
      • http://<domain>:<port>/bmagnolia/admincentral
      • http://<domain>:<port>/<x>magnolia/admincentral
      • http://<domain>:<port>/arest/<service>
      • http://<domain>:<port>/brest/<service>
      • http://<domain>:<port>/<x>rest/<service>

      DEMO: https://demopublic.magnolia-cms.com/amagnolia/admincentral

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              matteo.pelucco Matteo Pelucco
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD