The Enterprise Edition allows you to run multiple sites in a single Magnolia instance. In a multisite scenario, allowing the content of one site to be accessed through the URL of a sibling site hurts search engine optimization (SEO). Web crawlers interpret the sibling content as duplicate content, that is the same content but visible through a different URL. Content should only be accessible through one own domain name for each site.
Magnolia provides two ways to prevent cross-site access:
- Cross-site security filter grants and denies the permission to access a site through a particular domain name. For example, if you only grant access to the demo-project site through
www.demo-project.com, no other URL can be used to access the content. When a user tries to access one site's content through another site's domain name, the system displays a HTTP 404 error (page not found).
- Site-specific ACL grants or denies the permission to access a site to a particular role. For example, if you deny the
anonymousrole access to a site then anonymous users will see a login box. They must authenticate themselves in order to gain access to the content through a more permissive role. Use site-specific ACLs if you want to make sibling site content available through the same URL but only for authenticated users such as registered members. A Web crawler such as Googlebot, which is equal to an anonymous user, cannot see the content and will not penalize your SEO efforts for duplicate content.
crossSitefilter is executed before the
uriSecurityfilter in the Magnolia filter chain. This means that the cross-site filter must grant a permission to access the site first. Only then will roles and ACLs be evaluated.
Site names and domain names
A site name identifies a site. The site name is the name of the site definition node. For example, the name of the demo-project site is
demo-project. You need the site name when controlling cross-site access with the filter or with ACLs.
A domain name is mapped to a site in the
domains node under the site definition. For example, the
demo-project site has the domain
www.demo-project.com mapped to it. When a user requests the site with this domain name, content is served from the path defined in the
handlePrefix property. You will need the domain name when controlling cross-site access with the filter.
Cross-site security filter
The cross-site security filter is executed in the Magnolia filter chain before the URI security filter. This means that a user must pass the cross-site filter before any ACLs are evaluated. The cross-site filter grants or denies permission to a site when the site is requested through a particular domain name.
The cross-site security filter is configured using resolvers. Each resolver grants access to one site through one domain. If no resolvers exist the filter does not grant access to any site through any domain.
However, a very permissive
allToAll filter is enabled by default. It grants the permission to access all sites through all domains. This is the starting point from which you can configure more restricted access.
To deny cross-site access, disable the
allToAll filter and configure a new resolver. The example resolvers below grant access to the
demo-project site via
www.demo-project.com and to the
demo-features site via
www.demo-features.com. This is adequate to prevent cross-site access. If a user requests the
demo-project site via
www.demo-features.com they will get a 404 error.
fromDomain: the domain name that is used to request a site.
toSite: the name of the site that is requested.
protocol(optional): the protocol use to request the site such as
port(optional): port number such as
context(optional): Context path is the part of the URL where the Magnolia webapp lives. For example in
All properties support regular expressions.
You can test cross-site security by adding these configurations on the public site and requesting content at
You can prevent cross-site access also using ACLs. This is the recommended practice if you have authenticated users who should have cross-site access when they are logged in.
<site name> parameter makes an ACL rule site specific. You can use the site name in URLs and paths. Enclose the name in angle brackets (< >) at the beginning of the rule. The system applies the ACL when a matching site definition node exists.
This ACL rule prevents cross-site access from the
demo-project site to the
- On the public instance, create a new role, for example
- Assign the following ACL to the role.
- Now when the anonymous requests content at
Filters that control site security
Three filters control site security:
- Multisite filter (code: MultiSiteFilter) initializes multidomain support and makes domain related properties available in the aggregation state. This filter finds a domain name that matches a name configured in a site definition.
- Cross site security filter (code: CrossSiteSecruityFilter) handles cross-site security. It controls site access based on registered resolvers. This filter imports a CrossSiteAccessResolver that makes a number of properties available in the filter configuration.
- Site URI security filter (code: SiteUriSecurityFilter) provides site-aware URI security. This filter extends the Community Edition URI security filter that checks if the current user has permissions to the requested resource. The following permissions are taken into consideration:
- URI ACLs of the user's roles.
- URI ACLs of the roles in the user's groups.