[MAGNOLIA-2968] security: login form fails to render if content security filter denies access Created: 11/Dec/09  Updated: 23/Jan/13  Resolved: 15/Dec/09

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 4.2.1
Fix Version/s: 4.2.2

Type: Bug Priority: Major
Reporter: Philipp Bärfuss Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2178 Error pages are sent with gzip headers Closed
is related to MAGNOLIA-2936 Error pages not served properly Closed
supersession
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

The login form is only shown if the access to a page is denied by the URL security, while this doesn't work if the content security filter is used.

GZipFilter does not send the response to the client if the HTTP error code is different from 200 (info.magnolia.module.cache.filter.GZipFilter:90) (seems to be related to http://jira.magnolia-cms.com/browse/MAGNOLIA-2178).
The problem is when you add a "deny access" permission on a content, the "ContentSecurityFilter clientCallback" login form can not be returned to the client, we only have a Tomcat 401 error page.

This is working well with URISecurityFilter because it is executed before the GZipFilter in the filter chain, so we can workaround the problem by adding a deny access to the content HTTP URI (but it is just a workaround).


Generated at Mon Feb 12 03:41:53 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.