You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@roller.apache.org by "Greg Huber (JIRA)" <ji...@apache.org> on 2009/01/15 15:31:13 UTC

[jira] Created: (ROL-1777) https SchemeEnforcementFilter and spring security

https SchemeEnforcementFilter and spring security
-------------------------------------------------

                 Key: ROL-1777
                 URL: https://issues.apache.org/roller/browse/ROL-1777
             Project: Roller
          Issue Type: Bug
          Components: Configuration & Settings
    Affects Versions: 4.1
         Environment: fedora
            Reporter: Greg Huber
            Assignee: Roller Unassigned
            Priority: Minor


I have noticed that when configured with https (SchemeEnforcementFilter) the login page does not seem to work correctly.  It always wants to back to the login page when https is enabled.  It seems to set alwas the security to Granted Authorities: ROLE_ANONYMOUS rather than the correct value.

I found this entry which seems to address this issue:

http://jira.springframework.org/browse/SEC-767

ie in the security.xml this line:
<http auto-config="false" lowercase-comparisons="true" access-decision-manager-ref="accessDecisionManager">

needs to be:
<http auto-config="false" lowercase-comparisons="true" access-decision-manager-ref="accessDecisionManager" session-fixation-protection="none">

Cheers Greg

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.