Magnolia 6.1 reached end of life on March 31, 2021. This branch is no longer supported, see End-of-life policy.
This page gives an overview about how Magnolia handles security.
Magnolia security is based on Java Authentication and Authorization Service (JAAS). JAAS provides a standardized way for:
The system always checks whether a certain user has the required (set of) permissions to access a certain resource such as a web page, document, template or some other type of data. Permissions such as Access Control Lists (ACLs) are assigned to user roles. The roles can be assigned to groups or directly to the users. Finally, users can be assigned to a group.
For more details please refer also to the following pages:
Use the Magnolia Security app to administer Users, Groups and Roles with ACLs that Magnolia provides. By default, the app stores the user, group and role data in the
userroles JCR workspaces.
Magnolia also provides connectors to integrate with third-party systems such as LDAP and CAS.
Every request sent to Magnolia is checked by the URISecurityFilter. The filter checks whether the role(s) of the requesting user allow(s) the user to request a given path with the given method. Web permissions are granted as web access lists per role. They grant access to a path for Get or Get & Post.
GET method for a given URI.
DELETE methods for a given URI.
Every request sent to Magnolia is checked by the URISecurityFilter. The filter checks whether the role(s) of the requesting user allow(s) the user to request a given path with the given method.
Web permissions are granted as web access lists per role. They grant access to a path for Get or Get & Post.
Magnolia uses the Jackrabbit reference implementation of the Java Content Repository (JCR) 2.0 standard. ACL checks are performed at the JCR level. This low-level checking has the following benefits:
Since content and templates are usually customized or completely developed by the users of Magnolia, it is the responsibility of the users to ensure that developed content is not exploitable by cross-site scripting, HTML injection or similar attacks. For templates provided with Magnolia, the system tries to ensure that there are no such vulnerabilities.
External security is achieved via servlet container features. The strength of the security depends on the container used to run Magnolia. To improve the security, Magnolia recommends that you run the Apache Web Server or another proxy server in front of the application server.