Page tree
Skip to end of metadata
Go to start of metadata

Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 145 rates


Draft for 5.2

Collection of security related issues and improvements


We have several security related issues or things we should improve:

ACLs dialog

  • show all permissions (no drop down) to give an overview
  • aggregated permissions per user are already visible as of Magnolia 4.5 see MAGNOLIA-3938@jira for details

Delete permission: MAGNOLIA-2674@jira

  • what permission do you need

RegEx support

  • even if the back-end uses regular expressions one can only provide partial regular expressions (for instance /$)

Nodetype support

  • one of the most annoying thing is that the current ACLs cannot distinguish between paragraphs and sub pages
  • one would like to give edit permission to a page but not to the subpages

Custom AccessManager

Clean ACL resolution

  • a clean concept is needed how the actual permission is determined
  • ACL entries overloading (if multiple ACLs apply, multiple roles)

Easy site support

  • give edit permission to a single site
  • currently one has to fall back on the ugly /$ hack


  • needs to be refactored and broken down in subchain (or set of voters) for operations all handled inside of original filter currently
    • http method check
    • IP check
    • URI ACL check


  1. In addition to path-based permissions, we also need other types of permissions:

    • actions : the user can (or can not) use this or that action (which can be arbitrary - a webservice, a command, viewing an admin page, ... - such components could "register" themselves as "permissible")
    • dynamic paths : typical usecase: a permission for /foo/bar/${userid}
  2. Please look into Apache Shiro (fka jsecurity) to avoid reinventing wheels, and perhaps getting a few goodies for "free" ("remember me" features and other stuff)

  3. Feedback from community that is definitively interesting in regard of security and should be taken in consideration although not related to ACLs