Site-aware ACLs
---------------
Key: DOCU-244
URL: http://jira.magnolia-cms.com/browse/DOCU-244
Project: Documentation
Issue Type: New Feature
Security Level: Public
Components: content
Reporter: Antti Hietala
Assignee: Ruth Stocks
MAGNOLIA-3915 introduced a new ACL parameter {{<site>}} that can be added at
the beginning of a path or URL. The parameter applies the ACL rule when the
current site definition matches its value.
The purpose is to prevent a multisite scenario where content from one site can
be accessed through all its sibling sites. Such a scenario hurts SEO efforts
since crawlers interpret the sibling content as duplicate: it is the same
content but visible through different URLs.
For example, the {{demo-project}} site definition (screenshot) says that when
the site is accessed via domain {{www.demo-project.com}}, content should be
served from {{/demo-project}}, as defined in the {{handlePrefix}} property.
However, it is also possible to access sibling site {{/demo-features}} content
at the same domain using a URL such as
{{www.demo-project.com/demo-features.html}}. The domain says content should be
served from {{/demo-project}} but in fact it can come from {{/demo-features}}.
This is the issue.
To test locally:
# In your [hosts file|http://en.wikipedia.org/wiki/Hosts_(file)], map
{{www.demo-project.com}} to {{127.0.0.1}}.
{code}
127.0.0.1 www.demo-features.com
{code}
# [Flush the DNS
cache|http://www.techiecorner.com/35/how-to-flush-dns-cache-in-linux-windows-mac/].
# Request content at
{{http://www.demo-project.com:8080/magnoliaPublic/demo-features.html}}. You can
see content from the sibling site {{/demo-features}}, which is not good. \\ \\
To deny cross-site content access using the new {{<site>}} parameter:
# Log into AdminCentral on the public instance and edit the {{anonymous}} role.
# Add an ACL in the {{URL}} space. Deny access to
{{<demo-project>/demo-features*}}. Angle brackets should be included. The first
part in the brackets means "apply this ACL when the site definition
{{demo-project}} is applied". The second part means "deny access to content at
{{/demo-features}} and below".
# Save the role.
# Log out.
# Request content at
{{http://www.demo-project.com:8080/magnoliaPublic/demo-features.html}}. You
should be denied access and presented a login screen instead.
# Request content at
{{http://www.demo-features.com:8080/magnoliaPublic/demo-features.html}}. Now
content should be served since you are requesting it via a domain that is
mapped to a different site definition {{demo-features}}. \\ \\
Document the new parameter, its usage, purpose and the scenario in
/administration/security/accesscontrollists.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
