Hi everyone,
My company and I have recently started using xWiki for a project where we need to ensure that information remains secure. We require a public URL for our setup. After evaluating various options, xWiki seemed to be the only platform that could keep attachments and images secure.
Our setup involves Docker, with NPM serving as a reverse proxy (including the CrowdSec agent and handler). We are using Keycloak as our authentication provider to enforce 2FA.
Everything appears to be functioning correctly, but we’ve encountered an issue with attachment security. For instance, when an image is added, it remains publicly accessible if the revision is included in the URL. Here’s what we’ve observed:
- Accessing the URL without a revision, such as: https://my.url.com/bin/download/Test/Test%20Image%20Page/WebHome/testimage.jpg directs users to the login screen, as expected. This behavior is consistent across different browsers, private browsing sessions, various computers, and IP addresses.
- However, including a revision in the URL, like so: https://my.url.com/bin/download/Test/Test%20Image%20Page/WebHome/testimage.jpg?rev=1.1 allows access without requiring authorization. This access persists for approximately 30 minutes before redirecting to the login screen.
We’re unsure if this is a bug or if there’s a setting we might have missed to prevent this behavior. It seems related to the SSO session timeout in Keycloak, which is set to 30 minutes. However, if an image is uploaded and accessed from a private browser window or a different computer, there should be no active SSO session.
We would greatly appreciate any insights or guidance on this issue (Because I’m lost 
). Thank you in advance for your help!