<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 03:50:24 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MAGNOLIA-3863] An additional security filter which handles callbacks on behalf of the existing UriSecurityFilter and ContentSecurityFilter</title>
                <link>https://jira.magnolia-cms.com/browse/MAGNOLIA-3863</link>
                <project id="10000" key="MAGNOLIA">Magnolia</project>
                    <description>&lt;p&gt;Rationale: we currently have 2 security filters, which among other things have duplicated configuration (the &quot;callback&quot;, which presents the client with a login form). On top of this, with &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-3858&quot; title=&quot;Support for multiple HttpClientCallback, where the callback itself decides if it handles the request&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-3858&quot;&gt;&lt;del&gt;MAGNOLIA-3858&lt;/del&gt;&lt;/a&gt;, we realized there are cases where we also need to handle an &lt;tt&gt;AccessDeniedException&lt;/tt&gt; which can be thrown between those two filters (i.e from a servlet; example: the RSS servlet, which wraps an &lt;tt&gt;AccessDeniedException&lt;/tt&gt; when the content it needs to access to generate a feed is not authorized for the current user).&lt;/p&gt;

&lt;p&gt;Implementation:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;the 2 existing filters will not execute the callbacks anymore. They will merely set a &lt;tt&gt;401&lt;/tt&gt; or &lt;tt&gt;403&lt;/tt&gt; http code in the response.&lt;/li&gt;
	&lt;li&gt;the new filter, place in front of those two, will check the response&apos;s status, as well as catch {{AccessDeniedException}}s that might have been thrown down the filter chain, and execute an appropriate callback.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This way, any component down the filter chain can set a &lt;tt&gt;401&lt;/tt&gt; or &lt;tt&gt;403&lt;/tt&gt; response code, or throw an &lt;tt&gt;AccessDeniedException&lt;/tt&gt;, and we&apos;ll send an appropriate response to the user.&lt;/p&gt;

&lt;p&gt;TBD: how does this behave if rendering has begun ? It is expected that an &lt;tt&gt;AccessDeniedException&lt;/tt&gt; or other exception happening at that level would not be let up the chain.&lt;/p&gt;</description>
                <environment></environment>
        <key id="21901">MAGNOLIA-3863</key>
            <summary>An additional security filter which handles callbacks on behalf of the existing UriSecurityFilter and ContentSecurityFilter</summary>
                <type id="2" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10891&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/neutral.gif">Neutral</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="1">Fixed</resolution>
                                        <assignee username="gjoseph">Magnolia International</assignee>
                                    <reporter username="gjoseph">Magnolia International</reporter>
                        <labels>
                    </labels>
                <created>Wed, 19 Oct 2011 19:52:35 +0200</created>
                <updated>Wed, 25 Apr 2012 16:17:44 +0200</updated>
                            <resolved>Fri, 9 Mar 2012 14:54:56 +0100</resolved>
                                                    <fixVersion>4.5</fixVersion>
                                    <component>core</component>
                    <component>security</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="40049" author="dfghi" created="Wed, 19 Oct 2011 22:56:58 +0200"  >&lt;p&gt;IMHO using the reponse code directly to execute the callback is a bit &quot;limiting&quot;... It might be perfectly right on authoring where you have to pass through Magnolia login anyway, but on public instances, (expecially if some other framework is integrated) it could be legit to send a 401 or a 403 directly to the client, for parts that just happen to pass the Magnolia filter chain but are not strictly Magnolia-related. (first examples are spring security logins or any sso integration for public users)&lt;/p&gt;

&lt;p&gt;The idea of the exception might be the same discussed in &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-3595&quot; title=&quot;Add an exception handler for filters.&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-3595&quot;&gt;&lt;del&gt;MAGNOLIA-3595&lt;/del&gt;&lt;/a&gt; and related issues. This is just to say that even if the rendering has not begun, AccessDeniedException would be logged anyway before bubbling... &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.magnolia-cms.com/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;</comment>
                            <comment id="40700" author="gjoseph" created="Wed, 2 Nov 2011 14:21:34 +0100"  >&lt;p&gt;Still to do: an update task to check (and move/backup if necessary) the callbacks configured in the &lt;tt&gt;contentSecurity&lt;/tt&gt; filter.&lt;/p&gt;</comment>
                            <comment id="40743" author="gjoseph" created="Wed, 2 Nov 2011 18:57:50 +0100"  >&lt;p&gt;Another thing to take into account. When setting a status with &lt;tt&gt;setStatus&lt;/tt&gt;, we don&apos;t commit the response, everything is fine. I changed the few places in our filters where &lt;tt&gt;sendError&lt;/tt&gt; was used. When &lt;tt&gt;sendError&lt;/tt&gt; is used, the response is committed, and that means we can&apos;t do a redirect, for example. The RedirectClientCallback can be useful in SSO scenarios (the login form is on a different host). And... I&apos;ve seen a bunch of code in our codebase that uses &lt;tt&gt;sendError&lt;/tt&gt; (so the RedirectClientCallback never really worked for those). Should we change that ? Or change the behavior of the ResponseWrapper in the SecurityCallbackFilter ?&lt;/p&gt;</comment>
                            <comment id="41238" author="dlipp" created="Mon, 14 Nov 2011 23:52:34 +0100"  >&lt;p&gt;Along with SCRUM-604 I reverted using setStatus in AggregatorFilter. When encountering a 404 using setStatus is not enough. getErrorStream will then return null and a User would get an empty page.&lt;/p&gt;

&lt;p&gt;Only other option I could think of would be to use setStatus in AggregatorFilter and fix the errorStream later in SecurityCallbackFilter#doFilter(HttpServletRequest, HttpServletResponse, FilterChain). This does not seem to be a superior solution. &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10040">
                    <name>causality</name>
                                                                <inwardlinks description="is causing">
                                        <issuelink>
            <issuekey id="23023">MAGNOLIA-3967</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="23797">MGNLWEBDAV-29</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10020">
                    <name>dependency</name>
                                            <outwardlinks description="depends upon">
                                        <issuelink>
            <issuekey id="22076">MAGNOLIA-3876</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="22068">MAGNOLIA-3875</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is depended upon by">
                                        <issuelink>
            <issuekey id="21847">MAGNOLIA-3858</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10010">
                    <name>relation</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="22341">MAGNOLIA-3890</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10022">
                    <name>supersession</name>
                                            <outwardlinks description="supersedes">
                                        <issuelink>
            <issuekey id="16515">MAGNOLIA-2718</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 19 Oct 2011 22:56:58 +0200</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>mmuehlebach</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            12 years, 14 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>dlipp</customfieldvalue>
            <customfieldvalue>dfghi</customfieldvalue>
            <customfieldvalue>gjoseph</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i00trb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4871</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>