Hello Magnolians!

Playing with multisite and URISecurityFilter I think we found something not so much clear.

In the configuration you can find also on demo-public, there is a restricted area. The trick to hide a site area to anonymous users is to deny (on anonymous role) URL on

- /demo-project/members-area/protected*

At this point, if an anonymous user try to enter there, the uriSecurity filter start to play, looking into his patterns. And found the pattern "public", matches the "/demo-project/members-area/protected*" string and redirect to what specified in location nodeData, "/demo-project/members-area/login.html".

Everything clear, but what happen if I try to map the demo-project site behind Apache or simply with file hosts on Windows?

The uri to that page is now only "/members-area/protected", so the chain is broken and even anonymous user can access restricted area.

***

This is very important in a multisite environment. I think that at uriSecurity filter we should already know which site we are using, isn't it?

If Basel friends are working to fix the not-domain mapping site resolution, maybe this thought can be helpful. But I'm pretty sure that they already have found how to solve this situation, maybe with a reverse brainstorming ;-)

Anyway, good work to all Magnolia, multisite start to rock!!!

HTH,
Matteo


----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------

Reply via email to