Magnolia 5.4 reached end of life on November 15, 2018. This branch is no longer supported, see End-of-life policy.
The Enterprise Edition allows you to run multiple sites in a single Magnolia instance. In a multisite scenario, allowing the content of one site to be accessed through the URL of a sibling site hurts search engine optimization (SEO). Web crawlers interpret the sibling content as duplicate content, that is the same content but visible through a different URL. Content should only be accessible through one own domain name for each site.
Magnolia provides two ways to prevent cross-site access:
travel-demo.magnolia-cms.com
, no other URL can be used to access the content. When a user tries to access one site's content through another site's domain name, the system displays a HTTP 404 error (page not found).anonymous
role access to a site then anonymous users will see a login box. They must authenticate themselves in order to gain access to the content through a more permissive role. Use site-specific ACLs if you want to make sibling site content available through the same URL but only for authenticated users such as registered members. A Web crawler such as Googlebot, which is equal to an anonymous user, cannot see the content and will not penalize your SEO efforts for duplicate content.You can use either mechanism alone or both mechanisms together. If you use them together, remember that the cross-site security filter is executed before the URI security filter in the Magnolia filter chain. This means that the cross-site filter must grant a permission to access the site first. Only then will roles and ACLs be evaluated.
The cross-site security filter is executed in the Magnolia filter chain before the URI security filter.
A site name identifies a site. The site name is the name of the site definition node. For example, the name of the travel site is travel
. You need the site name when controlling cross-site access with the filter or with ACLs.
A domain name is mapped to a site in the domains
node under the site definition. For example, the travel
site has the domain travel-demo.magnolia-cms.com
mapped to it. When a user requests the site with this domain name, content is served from the path defined in the handlePrefix
property. You will need the domain name when controlling cross-site access with the filter.
Node name | Value |
---|---|
fallback | |
travel | |
domains | |
travel-demo | |
name | travel-demo.magnolia-cms.com |
mappings |
|
website |
|
URIPrefix |
|
handlePrefix | /travel |
repository | website |
templates |
|
theme |
|
i18n |
|
sportstation | |
domains | |
sportstation | |
name | sportstation.magnolia-cms.com |
mappings |
|
templates |
|
theme |
|
i18n |
|
extends | ../travel |
The cross-site security filter is executed in the Magnolia filter chain before the URI security filter. This means that a user must pass the cross-site filter before any ACLs are evaluated. The cross-site filter grants or denies permission to a site when the site is requested through a particular domain name.
The cross-site security filter is configured using resolvers. Each resolver grants access to one site through one domain. If no resolvers exist the filter does not grant access to any site through any domain.
However, a very permissive allToAll
resolver is enabled by default. It grants the permission to access all sites through all domains. This is the starting point from which you can configure more restricted access.
Node name | Value |
---|---|
server | |
filters | |
... | |
crossSite | |
bypasses | |
dotMagnolia | |
resources |
|
resolvers |
|
allToAll |
|
enabled | true |
fromDomain | .* |
toSite | .* |
class | info.magnolia.multisite.filters.CrossSiteSecurityFilter |
enabled | true |
Properties:
resolvers | required Resolvers configuration. |
| required Resolver name. |
| required Domain name that is used to request a site |
| required Name of the site that is requested. |
| optional Protocol use to request the site such as |
| optional Port number such as |
| optional Context path is the part of the URL where the Magnolia webapp lives. For example in |
| optional Enables and disables the resolver. |
To deny cross-site access, disable the allToAll
resolver and configure new ones.
Example
The example resolvers below grant access to the travel
site via www.travel-demo.magnolia-cms.com
and to the sportstation
site via www.sportstation.magnolia-cms.com
. This is adequate to prevent cross-site access. If a user requests the travel
site via
they will get a 404 error.www.sportstation.magnolia-cms.com
Node name | Value |
---|---|
server | |
filters | |
crossSite | |
bypasses | |
resolvers |
|
allToAll |
|
enabled | false |
fromDomain | .* |
toSite | .* |
travel |
|
enabled | true |
fromDomain | travel-demo.magnolia-cms.com |
toSite | travel |
sportstation |
|
enabled | true |
fromDomain | sportstation.magnolia-cms.com |
toSite | sportstation |
You can test cross-site security by adding these configurations on the public site and requesting content at http://sportstation.magnolia-cms.com:8080/magnoliaPublic/travel.html
or http://travel-demo.magnolia-cms.com:8080/magnoliaPublic/sportstation.html
. The requests should result in 404 errors.
In specific server configurations, it may also be necessary to add an additional resolver for the administrator/editor to be able to access both the administration and public instances.
You can also prevent cross-site access using ACLs. This is the recommended practice if you have authenticated users who should have cross-site access when they are logged in.
The <site name>
parameter makes an ACL rule site specific. You can use the site name in URLs and paths. Enclose the name in angle brackets (< >) at the beginning of the rule. The system applies the ACL when a matching site definition node exists.
Example
This ACL rule prevents cross-site access from the travel
site to the sportstation
site.
cross-site
http://travel-demo.magnolia-cms.com:8080/magnoliaPublic/sportstation.html
the standard login form is displayed.Three filters control site security: