roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Johnson (JIRA)" <>
Subject [jira] [Updated] (ROL-2100) HTTPS Scheme Enforcement feature removed
Date Sun, 26 May 2019 13:44:00 GMT


David Johnson updated ROL-2100:
    Summary: HTTPS Scheme Enforcement feature removed  (was: Schema Enforcement feature removed)

> HTTPS Scheme Enforcement feature removed
> ----------------------------------------
>                 Key: ROL-2100
>                 URL:
>             Project: Apache Roller
>          Issue Type: Bug
>          Components: Authentication, Roles and Access Controls
>    Affects Versions: 5.1.2
>            Reporter: David Johnson
>            Assignee: David Johnson
>            Priority: Minor
>             Fix For: 5.2.3
> Roller included a feature to force HTTPS to be used for login pages and HTTP for all
other pages. This feature is removed in Roller 5.2.3. The best practice is to run everything
on HTTPS and if you want something different, implement somewhere else, e.g. load balancer.

> Original text:
> The two Roller configuration properties mentioned in the summary no longer work in Roller.
Apparently they were broken when we upgraded to some newer version of Spring Security.  
> The relevant code is in RollerContext. initializeSecurityFeatures().
> As a work-around, one may be able to configure secure login behavior by modifying the
Spring Security configuration file (security.xml) directly.

This message was sent by Atlassian JIRA

View raw message