[MAGNOLIA-6585] IPSecurityManager sends wrong response code and then renders login form Created: 07/Mar/16  Updated: 19/May/22  Resolved: 19/May/22

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Bence Vass Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

IPSecurityManager will send 403, if the isAllowed check fails. This means that the magnolia login form will be rendered, which is a security problem.

Either the correct code should be sent (405), or if this is on purpose, then the login form still shouldn't be rendered.

Imo:
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
should be
response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);



 Comments   
Comment by Roman Kovařík [ 19/May/22 ]

Hello,

This ticket is now marked as closed due to one of the following reasons:

  • A long period of inactivity
  • Uses an old or Beta version of an application, module, or framework that we no longer support
  • The issue is no longer reproducible or has been fixed in later versions

If you are still facing a problem or consider this issue still relevant, please feel free to re-open the ticket and we will reach out to you.

Thank you,
The Magnolia Team

Generated at Mon Feb 12 04:15:54 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.