Digging further: So according to [3] the proper ACL pattern should in fact be "<mysite>/path/to/some/page"
As stated in my previous posts, this did not work (at least not as expected on my development machine). So I examined a bit further what URISecurityFilter / AccessManager was doing. SimpleUrlPattern is used to check if a rule matches or not. SimpleUrlPattern in fact is site-aware now. It looks for a <sitename> in its constructor and sets the site. From there on it not only checks if the URI matches pattern, but it also checks if the site name matches. However it gets the current site name by calling ExtendedAggregationState.getSiteBasedOnDomain(String domain), so it needs a domain name set in the site in order to work. This is probably all right for a system properly set up on a productive server, but not for development and in most environments not for testing / integration either since domain names are most likely not correct there. Is there a reason why ExtendedAggregationState.getSite().getName() is not used for it. After all, the multiSite filter is located before the uriSecurity filter in the filter chain and it does a good job determining the site to be used with or without domain names. I modified the SimpleUrlPattern class in this area and afterwards everything I tested was working fine. Before I create an JIRA issue with the patch I wanted to ask you guys if I am missed something…? Thanks! -will [3] http://documentation.magnolia-cms.com/administration/security/accesscontrollists.html#SiteawareACLs ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
