Cross-site security

DX Core allows you to run multiple sites in a single Magnolia instance. In a multisite scenario, allowing the content of one site to be accessed through the URL of a sibling site hurts search engine optimization (SEO). Web crawlers interpret the sibling content as duplicate content, that is the same content but visible through a different URL. Content should only be accessible through one own domain name for each site.

Magnolia provides two ways to prevent cross-site access:

  • Cross-site security filter grants and denies the permission to access a site through a particular domain name. For example, if you only grant access to the travel site through travel-demo.magnolia-cms.com, no other URL can be used to access the content. When a user tries to access one site’s content through another site’s domain name, the system displays an HTTP 404 error (page not found).

  • Site-specific ACL grants or denies the permission to access a site to a particular role. For example, if you deny the anonymous role access to a site then anonymous users will see a login box. They must authenticate themselves in order to gain access to the content through a more permissive role. Use site-specific ACLs if you want to make sibling site content available through the same URL but only for authenticated users such as registered members. A Web crawler such as Googlebot, which is equal to an anonymous user, cannot see the content and will not penalize your SEO efforts for duplicate content.

You can use either mechanism alone or both mechanisms together. If you use them together, remember that the cross-site security filter is executed before the URI security filter in the Magnolia filter chain. This means that the cross-site filter must grant permission to access the site first. Only then will roles and ACLs be evaluated.

The cross-site security filter is executed in the Magnolia filter chain before the URI security filter.

Site names and domain names

A site name identifies a site. The site name is the name of the site definition node. For example, the name of the travel site is travel. You need the site name when controlling cross-site access with the filter or with ACLs.

A domain name is mapped to a site in the domains node under the site definition. For example, the travel site has the domain travel-demo.magnolia-cms.com mapped to it. When a user requests the site with this domain name, content is served from the path defined in the handlePrefix property. You will need the domain name when controlling cross-site access with the filter.

Site definition in the domain node

Cross-site security filter

The cross-site security filter is executed in the Magnolia filter chain before the URI security filter. This means that a user must pass the cross-site filter before any ACLs are evaluated. The cross-site filter grants or denies permission to a site when the site is requested through a particular domain name.

The cross-site security filter is configured using resolvers. Each resolver grants access to one site through one domain. If no resolvers exist the filter does not grant access to any site through any domain.

However, a very permissive allToAll resolver is enabled by default. It grants permission to access all sites through all domains. This is the starting point from which you can configure more restricted access.

allToAll resolver is enabled

Property Description

resolvers

required

Resolvers configuration.

     allToall

required

Resolver name.

         fromDomain

required

Domain name that is used to request a site

         toSite

required

Name of the site that is requested.

         protocol

optional

Protocol used to request the site such as http.

         port

optional

Port number such as 8080.

         context

optional

Context path is the part of the URL where the Magnolia webapp lives. For example in http://domain.com/magnoliaPublic the context path is /magnoliaPublic.

         enabled

optional

Enables and disables the resolver.

To deny cross-site access, disable the allToAll resolver and configure new ones.

Example

The example resolvers below grant access to the travel site via https://travel-demo.magnolia-cms.com/ and to the sportstation site via https://sportstation.magnolia-cms.com/. This is adequate to prevent cross-site access. If a user requests the travel site via https://sportstation.magnolia-cms.com/ they will get a 404 error.

Cross-site access configuration

You can test cross-site security by adding these configurations on the public site and requesting content at https://sportstation.magnolia-cms.com/travel.html or https://travel-demo.magnolia-cms.com/sportstation. The requests should result in 404 errors.

In specific server configurations, it may also be necessary to add an additional resolver for the administrator/editor to be able to access both the administration and public instances.

Site-specific ACLs

You can also prevent cross-site access using ACLs. This is the recommended practice if you have authenticated users who should have cross-site access when they are logged in.

When whitelisting for multisite, you need to allow both grant and siteGrant rules in SiteUriSecurityFilter.

The <site name> parameter makes an ACL rule site specific. You can use the site name in URLs and paths. Enclose the name in angle brackets (< >) at the beginning of the rule. The system applies the ACL when a matching site definition node exists.

Example scenario

The ACL rule here prevents cross-site access from the sportstation site to the travel site.

  1. On the public instance, create a new role, for example cross-site.

  2. Assign the Web access Deny: <travel>* rule to the cross-site role.

  3. Assign the cross-site role to the anonymous system user.

  4. Now, while anonymous requests can fetch content from https://sportstation.magnolia-cms.com, the standard login form is displayed for requests for https://sportstation.magnolia-cms.com/travel.

Filters that control site security

Three filters control site security:

  • Multisite filter (info.magnolia.multisite.filters.MultiSiteFilter) initializes multidomain support and makes domain related properties available in the aggregation state. This filter finds a domain name that matches a name configured in a site definition.

  • Cross-site security filter (info.magnolia.multisite.filters.CrossSiteSecurityFilter) handles cross-site security. It controls site access based on registered resolvers. This filter imports info.magnolia.multisite.CrossSiteAccessResolver, which makes a number of properties available in the filter configuration.

  • Site URI security filter (info.magnolia.multisite.filters.SiteUriSecurityFilter) provides site-aware URI security. This filter extends the Community Edition URI security filter, which checks if the current user has permissions to the requested resource. The following permissions are taken into consideration:

    • URI ACLs of the user’s roles.

    • URI ACLs of the roles in the user group.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules