As a matter of fact I just finished first draft of http://wiki.magnolia-cms.com/display/DEV/Site+security+handling ... please edit/comment and bring up more suggestions.
Thanks, Jan On Aug 13, 2012, at 9:29 AM, Unger, Richard wrote: > Hi Will, > > The multi-site “URL shortening” is a SEO feature. In production, it’s “nice” > to have your site-root directly accessibly under the domain, without a > conceptually unnecessary path-element cluttering the URL. At the same time it > is very convenient for development that you can still access the site by > addressing it by IP (or generic name) and the site-name. > > In our experience it works well. We haven’t observed the URL-Security problem > you mention. In our production environment we have one URL-Rule set up to > block /A/B, and this is sufficient to catch calls both to “192.168.1.1/A/B” > as well as “www.domain.com/B“. We’re on magnolia EE 4.4.8. > > Things get more complicated with multi-language and protecting DMS access as > well. In this case there are more parts of the URL to consider: > For multi-language, it’s the language prefixes like /en/A/B, /de/A/B etc… > For DMS, you have to keep in mind that one site can access another site’s DMS > content with URLs likewww.domain.com/othersite/dms/path/to/content. > The same works for website content too – you can see content from one site > “in another site” by creating URLs like www.domain.com/othersite/..., > although usually the rendering is messed up because the themes don’t match. > > Another thing to keep in mind are “static dms” accesses – you can get any DMS > node by UUID by calling something like > www.domain.com/dms-static/cafebabe-babe-cafe-beef-beefcafe/myfile.jpg - might > be best to disable this on the public nodes if you don’t need it (see config > --> /server/filters/servlets/DMSDownloadServlet/mappings). > > And another thing to consider is URLs of the form /.imaging/… which will > allow you to get at any image in DMS (maybe not in original size, but at > least via some existing variation). > > Our solution to all this: we use Apache in front of tomcat to filter out the > accesses we don’t like, but it’s not the perfect solution, as we need O(n^2) > rules in apache to protect n sites. > > IMHO Magnolia’s security would benefit if it made this configuration > explicit: i.e. by default don’t allow “cross-site” and “cross-dms” accesses > unless explicitly configured to do so in the mappings of the site-definition. > > Regards from Vienna, > > Richard > > > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Will Scheidegger > Gesendet: Sonntag, 12. August 2012 14:06 > An: Magnolia User-List > Betreff: Re: [magnolia-user] Re: Multi site, site definitions and the mapping > configuration > > Digging further: > > So according to [3] the proper ACL pattern should in fact be > "<mysite>/path/to/some/page" > > As stated in my previous posts, this did not work (at least not as expected > on my development machine). So I examined a bit further what > URISecurityFilter / AccessManager was doing. SimpleUrlPattern is used to > check if a rule matches or not. SimpleUrlPattern in fact is site-aware now. > It looks for a <sitename> in its constructor and sets the site. From there on > it not only checks if the URI matches pattern, but it also checks if the site > name matches. However it gets the current site name by calling > ExtendedAggregationState.getSiteBasedOnDomain(String domain), so it needs a > domain name set in the site in order to work. This is probably all right for > a system properly set up on a productive server, but not for development and > in most environments not for testing / integration either since domain names > are most likely not correct there. > > Is there a reason why ExtendedAggregationState.getSite().getName() is not > used for it. After all, the multiSite filter is located before the > uriSecurity filter in the filter chain and it does a good job determining the > site to be used with or without domain names. > > I modified the SimpleUrlPattern class in this area and afterwards everything > I tested was working fine. Before I create an JIRA issue with the patch I > wanted to ask you guys if I am missed something…? > Thanks! > > -will > > [3] > http://documentation.magnolia-cms.com/administration/security/accesscontrollists.html#SiteawareACLs > > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ > To unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ > To unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
