Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.
This page gives an overview about how Magnolia handles security. The page also provides links to sub-pages associated with the security topic.
Overview: JAAS, users, groups, roles and permissions
Magnolia security is based on Java Authentication and Authorization Service (JAAS). JAAS provides a standardized way for:
- Authentication: Reliably and securely determine who is using the system and provide them with means to sign into the application.
- Authorization: Ensure that users have the permissions to do the actions required such as editing pages or creating categories.
The system always checks whether a certain user has the required (set of) permissions to access a certain resource such as a web page, document, template or some other type of data. Permissions such as Access Control Lists (ACLs) are assigned to user roles. The roles can be assigned to groups or directly to the users. Finally, users can be assigned to a group.
For more details please refer also to the following pages:
- Users
- Groups
- Roles and access control lists
- Group and role strategies
- Default roles, groups and users
- Default permissions
Magnolia Security app
Use the Magnolia Security app to administer Users, Groups and Roles with ACLs that Magnolia provides. By default, the app stores the user, group and role data in the users
, usergroups
and userroles
JCR workspaces.
LDAP, CAS
Magnolia also provides connectors to integrate with third-party systems such as LDAP and CAS.
Web access security
Every request sent to Magnolia is checked by the URISecurityFilter. The filter checks whether the role(s) of the requesting user allow(s) the user to request a given path with the given method. Web permissions are granted as web access lists per role. They grant access to a path for Get or Get & Post. GET
method for a given URI.GET
, PUT
, POST
and DELETE
methods for a given URI.
JCR security
Magnolia uses the Jackrabbit reference implementation of the Java Content Repository (JCR) 2.0 standard. ACL checks are performed at the JCR level. This low-level checking has the following benefits:
- Better performance than checking in the application code.
- Repository can be exposed to third-party apps. Access Control Lists (ACLs) still apply.
- Use JCR API directly without the need to wrap objects.
Content security
Since content and templates are usually customized or completely developed by the users of Magnolia, it is the responsibility of the users to ensure that developed content is not exploitable by cross-site scripting, HTML injection or similar attacks. For templates provided with Magnolia, the system tries to ensure that there are no such vulnerabilities.
Freemarker provides various built-in HTML and JavaScript escaping functions which make it easy to ensure that templates do not suffer from the vulnerabilities mentioned above. In case of any concerns regarding the security, Magnolia Support treats all security related issues with the highest possible urgency and will always try to provide its client with a workaround or temporary fix for the issues should there be any.
HTTP requests
HTTP requests can be accessed either with ctx.getRequest()
(in templates) or with info.magnolia.context.WebContext#getRequest
(in code).
To prevent XSS exploits, the following HTTP request content is always escaped:
- Header values
- Cookie values
- Parameters (names and values)
This policy, introduced with Magnolia 5.7.14, may potentially break code functionality or templates that rely on the original unescaped values.
Developers may unescape header values by using:
cmsfn.unescapeXss()
(in templates)info.magnolia.util.EscapeUtil#unescapeXss(java.lang.String)
(in code)
External security
External security is achieved via servlet container features. The strength of the security depends on the container used to run Magnolia. To improve the security, Magnolia recommends that you run the Apache Web Server or another proxy server in front of the application server.