[DOCU-244] Site-aware ACLs Created: 10/Jan/12  Updated: 03/Nov/15

Status: Closed
Project: Documentation
Component/s: content
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Neutral
Reporter: Antti Hietala Assignee: Antti Hietala
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File demo-project-site-definition.png    
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

MAGNOLIA-3915 introduced a new ACL parameter <site> that can be added at the beginning of a path or URL. The parameter applies the ACL rule when the current site definition matches its value.

The purpose is to prevent a multisite scenario where content from one site can be accessed through all its sibling sites. Such a scenario hurts SEO efforts since crawlers interpret the sibling content as duplicate: it is the same content but visible through different URLs.

For example, the demo-project site definition (screenshot) says that when the site is accessed via domain www.demo-project.com, content should be served from /demo-project, as defined in the handlePrefix property. However, it is also possible to access sibling site /demo-features content at the same domain using a URL such as www.demo-project.com/demo-features.html. The domain says content should be served from /demo-project but in fact it can come from /demo-features. This is the issue.

To test locally:

  1. In your hosts file, map www.demo-project.com to 127.0.0.1.
    127.0.0.1       www.demo-features.com
    
  2. Flush the DNS cache.
  3. Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You can see content from the sibling site /demo-features, which is not good.

To deny cross-site content access using the new <site> parameter:

  1. Log into AdminCentral on the public instance and edit the anonymous role.
  2. Add an ACL in the URL space. Deny access to <demo-project>/demo-features*. Angle brackets should be included. The first part in the brackets means "apply this ACL when the site definition demo-project is applied". The second part means "deny access to content at /demo-features and below".
  3. Save the role.
  4. Log out.
  5. Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You should be denied access and presented a login screen instead.
  6. Request content at http://www.demo-features.com:8080/magnoliaPublic/demo-features.html. Now content should be served since you are requesting it via a domain that is mapped to a different site definition demo-features.

Document the new parameter, its usage, purpose and the scenario in /administration/security/accesscontrollists.



 Comments   
Comment by Antti Hietala [ 10/Jan/12 ]

The <site> parameter is available starting with Magnolia 4.4.6

Comment by Ruth Stocks [ 07/Feb/12 ]

Documented at - http://docuauthor.magnolia-cms.com/administration/security/accesscontrollists.html#Siblingsiteaccess

Generated at Mon Feb 12 01:07:17 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.