[MAGNOLIA-1162] ACL based on URLs Created: 25/Oct/06  Updated: 23/Jan/13  Resolved: 03/May/07

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 3.0.2
Fix Version/s: 3.1 M1

Type: Improvement Priority: Major
Reporter: Magnolia International Assignee: Sameer Charles
Resolution: Fixed Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
dependency
is depended upon by MAGNOLIA-1147 ADMIN INTERFACE: Site Editors Don't S... Closed
relation
is related to MAGNOLIA-1292 "anonymous" user is not logged in by ... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Next to the ACLs for website(repository), config, etc, we should have ACLs to secure parts of the website based on URLs patterns.
(i.e give access to users to the /tmp/fckeditor path without having such a path in the website repository itself and without abusing the repo/website ACLs)



 Comments   
Comment by Sameer Charles [ 19/Apr/07 ]

Split current security filter in to:

  • BaseSecurityFilter
  • URISecurityFilter (responsible to control URI)
  • ContentSecurityFilter (responsible to control access on JCR)
  • LogoutFilter
  • ForceLoginFilter (handling form or basic authentication check MAGNOLIA-1385)

This will give us full freedom on how to manage access control, you can create your own SecurityFilter based on BaseSecurityFilter which will provide basic methods like callbacks for login Or you can choose to create completely custom security filters.

Above changes (together with MAGNOLIA-1434) will remove configurations like server->SecureURIList/UnsecureURI since all Unsecure URI will be simply bypassed by security filter(s) as configred in Filter configuration.

Comment by Philipp Bracher [ 27/Apr/07 ]

I added the uri acl definition to the roles dialog

Generated at Mon Feb 12 03:24:15 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.