Security filters should set 401 or 403 more appropriately
---------------------------------------------------------
Key: MAGNOLIA-4395
URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-4395
Project: Magnolia
Issue Type: Bug
Security Level: Public
Components: core
Affects Versions: 4.5.2
Reporter: Grégory Joseph
Assignee: Daniel Lipp
Fix For: 4.5.3, 4.5.x
Currently, both {{URISecurityFilter}} and {{ContentSecurityFilter}}
inadequately set a {{403}} http status when a user doesn't have access to a
given resource. The problem lies in the fact that it doesn't distinguish
between anonymous and logged-in access. An anonymous request should most likely
end up with a {{401}} code ("needs authentication"), whereas when the user is
already logged in, a more correct return code would be {{403}} ("not
authorized"). While this might lead to some security concerns (one can discover
the existence of protected content), it also leads to basic authorization
simply not working with some client. Browsers, for example, will only display
the auth dialog when receiving a 401, not a 403 - or so it seems, anyway.
If there really are security concerns about this change, it could also be made
optional (on/off).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
