[MGNLRSSAGG-31] Protected feeds should be protected via Basic authentication Created: 16/Mar/10  Updated: 04/Nov/15  Resolved: 04/Nov/15

Status: Closed
Project: Magnolia RSS Aggregator Module
Component/s: None
Affects Version/s: 1.1
Fix Version/s: 2.2.x

Type: Bug Priority: Major
Reporter: Jan Haderka Assignee: Unassigned
Resolution: Won't Do Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Safari 4, Mac OSX


Issue Links:
dependency
depends upon MAGNOLIA-3858 Support for multiple HttpClientCallba... Closed
is depended upon by MGNLFORUM-137 RSS feeds with authentication ? Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

... since rss clients can't fill in the html form rendered by FormClientCallback. For instance, Safari 4 hangs when trying to retrieve feeds generated by the RSS Aggregator, and of one uses an external rss client, it will fail to register the feed with a 401, not showing a username/password box, since all it gets is indeed a 401 and the FreeMarker-rendered login page.

This happens when authentication is needed to access the resource; on windows, it seems that this only shows up if the user previously logs out from Magnolia, while on osx, it's more obvious, as apparently the session cookie is not shared.

If one changes the authentication callback to BasicClientCallback, then it all works as expected.

The default uriSecurity callbacks should probably use a pattern delegating (as setup by demo-project for instance), so that other modules could insert their own configuration too. (WebDAV would be a candidate, since it currently replaces the URISecurityFilter for the same purposes)



 Comments   
Comment by Magnolia International [ 14/Jan/11 ]

Just bumped into this again. However, basic and form "loginHandlers" are always present. So if you tap into the feed and pass basic auth credentials right away, it works too. Example:

Not working with most rss readers:
http://demoauthor.magnolia-cms.com/rss/?generatorName=category&categories=ab9437db-ab2c-4df5-bb41-87e55409e8e1&siteRoot=/demo-project/about

Working with most rss readers:
http://superuser:superuser@demoauthor.magnolia-cms.com/rss/?generatorName=category&categories=ab9437db-ab2c-4df5-bb41-87e55409e8e1&siteRoot=/demo-project/about

Comment by Magnolia International [ 07/Oct/11 ]

In the webdav module, info.magnolia.module.webdav.security.WebdavAwareUriSecurityFilter actually has a solution that could be generalized with little to no effort.

Comment by Magnolia International [ 07/Oct/11 ]

Described a proposed change at http://wiki.magnolia-cms.com/display/DEV/Support+multiple+HttpClientCallback+by+default

Comment by Christian Hauser [ 21/Nov/11 ]

By fixing this it will improve our forum module, and therefore the use of the Forum Module by ourselves.

For me as a Partner Manager it is tactically important that I can start to promote the partner forum. Which I can only start if the users can subscribe to that forum.

I really hope that proper access control and RSS will work on the Partner Forum soon!

http://forum.magnolia-cms.com/forum/threads.html?forumId=83000220-06ec-4032-816c-ee74021af096

Comment by Christian Hauser [ 25/May/12 ]

I was told this was solved with 4.5.

Comment by Michael Mühlebach [ 04/Nov/15 ]

Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes.
Thanks for taking the time to raise this issue. As you are no doubt aware this issue has been on our backlog for some time now with very little movement.
I'm going to close this to set expectations so the issue doesn't stay open for years with few updates. If the issue is still relevant please feel free to reopen it or create a new issue.

Generated at Mon Feb 12 07:04:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.