[MAGNOLIA-1468] SecurityFilter must be before VirtualURIFilter Created: 18/Apr/07  Updated: 23/Jan/13  Resolved: 19/Apr/07

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 3.0.2
Fix Version/s: 3.1 M1

Type: Bug Priority: Critical
Reporter: Sameer Charles Assignee: Sameer Charles
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Hi Devs,

what's the reason that we check security after VirtualURIFilter? this could lead to many security holes, first and obvious would be if you are
forwarding request within VirtualURI it will simply ignore security.
Virtual URI's should also be protected, I know we are missing this part in GUI where you can define ACL for the URI but it will come in future.

I would propose to change this order in filter definition, if anyone of you has any concerns please let me know.


Generated at Mon Feb 12 03:27:12 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.