[MGNLRSSAGG-31] Protected feeds should be protected via Basic authentication Created: 16/Mar/10 Updated: 04/Nov/15 Resolved: 04/Nov/15 |
|
| Status: | Closed |
| Project: | Magnolia RSS Aggregator Module |
| Component/s: | None |
| Affects Version/s: | 1.1 |
| Fix Version/s: | 2.2.x |
| Type: | Bug | Priority: | Major |
| Reporter: | Jan Haderka | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Safari 4, Mac OSX |
||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
... since rss clients can't fill in the html form rendered by FormClientCallback. For instance, Safari 4 hangs when trying to retrieve feeds generated by the RSS Aggregator, and of one uses an external rss client, it will fail to register the feed with a 401, not showing a username/password box, since all it gets is indeed a 401 and the FreeMarker-rendered login page. This happens when authentication is needed to access the resource; on windows, it seems that this only shows up if the user previously logs out from Magnolia, while on osx, it's more obvious, as apparently the session cookie is not shared. If one changes the authentication callback to BasicClientCallback, then it all works as expected. The default uriSecurity callbacks should probably use a pattern delegating (as setup by demo-project for instance), so that other modules could insert their own configuration too. (WebDAV would be a candidate, since it currently replaces the URISecurityFilter for the same purposes) |
| Comments |
| Comment by Magnolia International [ 14/Jan/11 ] |
|
Just bumped into this again. However, basic and form "loginHandlers" are always present. So if you tap into the feed and pass basic auth credentials right away, it works too. Example: Not working with most rss readers: Working with most rss readers: |
| Comment by Magnolia International [ 07/Oct/11 ] |
|
In the webdav module, info.magnolia.module.webdav.security.WebdavAwareUriSecurityFilter actually has a solution that could be generalized with little to no effort. |
| Comment by Magnolia International [ 07/Oct/11 ] |
|
Described a proposed change at http://wiki.magnolia-cms.com/display/DEV/Support+multiple+HttpClientCallback+by+default |
| Comment by Christian Hauser [ 21/Nov/11 ] |
|
By fixing this it will improve our forum module, and therefore the use of the Forum Module by ourselves. For me as a Partner Manager it is tactically important that I can start to promote the partner forum. Which I can only start if the users can subscribe to that forum. I really hope that proper access control and RSS will work on the Partner Forum soon! http://forum.magnolia-cms.com/forum/threads.html?forumId=83000220-06ec-4032-816c-ee74021af096 |
| Comment by Christian Hauser [ 25/May/12 ] |
|
I was told this was solved with 4.5. |
| Comment by Michael Mühlebach [ 04/Nov/15 ] |
|
Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes. |