[magnolia-dev] [JIRA] Updated: (MAGNOLIA-3863) An additional security filter which handles callbacks on behalf of the existing UriSecurityFilter and ContentSecurityFilter

Mon, 05 Mar 2012 11:19:45 -0800 

     [ 
http://jira.magnolia-cms.com/browse/MAGNOLIA-3863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ondřej Chytil updated MAGNOLIA-3863:
------------------------------------

    Fix Version/s: 4.5.x
                       (was: 4.5)

> An additional security filter which handles callbacks on behalf of the 
> existing UriSecurityFilter and ContentSecurityFilter
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MAGNOLIA-3863
>                 URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3863
>             Project: Magnolia
>          Issue Type: New Feature
>      Security Level: Public
>          Components: core, security
>            Reporter: Grégory Joseph
>            Assignee: Grégory Joseph
>             Fix For: 4.5.x
>
>
> Rationale: we currently have 2 security filters, which among other things 
> have duplicated configuration (the "callback", which presents the client with 
> a login form). On top of this, with MAGNOLIA-3858, we realized there are 
> cases where we also need to handle an {{AccessDeniedException}} which can be 
> thrown between those two filters (i.e from a servlet; example: the RSS 
> servlet, which wraps an {{AccessDeniedException}} when the content it needs 
> to access to generate a feed is not authorized for the current user).
> Implementation:
> * the 2 existing filters will not execute the callbacks anymore. They will 
> merely set a {{401}} or {{403}} http code in the response.
> * the new filter, place in front of those two, will check the response's 
> status, as well as catch {{AccessDeniedException}}s that might have been 
> thrown down the filter chain, and execute an appropriate callback.
> This way, any component down the filter chain can set a {{401}} or {{403}} 
> response code, or throw an {{AccessDeniedException}}, and we'll send an 
> appropriate response to the user.
> TBD: how does this behave if rendering has begun ? It is expected that an 
> {{AccessDeniedException}} or other exception happening at that level would 
> not be let up the chain.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       


----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------

Reply via email to