https SchemeEnforcementFilter and spring security
-------------------------------------------------
Key: ROL-1777
URL: https://issues.apache.org/roller/browse/ROL-1777
Project: Roller
Issue Type: Bug
Components: Configuration & Settings
Affects Versions: 4.1
Environment: fedora
Reporter: Greg Huber
Assignee: Roller Unassigned
Priority: Minor
I have noticed that when configured with https (SchemeEnforcementFilter) the login page does
not seem to work correctly. It always wants to back to the login page when https is enabled.
It seems to set alwas the security to Granted Authorities: ROLE_ANONYMOUS rather than the
correct value.
I found this entry which seems to address this issue:
http://jira.springframework.org/browse/SEC-767
ie in the security.xml this line:
<http auto-config="false" lowercase-comparisons="true" access-decision-manager-ref="accessDecisionManager">
needs to be:
<http auto-config="false" lowercase-comparisons="true" access-decision-manager-ref="accessDecisionManager"
session-fixation-protection="none">
Cheers Greg
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
|