[ROL-2100] HTTPS Scheme Enforcement feature removed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 5.1.2
Fix Version/s: 5.2.3
Component/s: Authentication, Roles and Access Controls
Labels:
None

Description

Roller included a feature to force HTTPS to be used for login pages and HTTP for all other pages. This feature is removed in Roller 5.2.3. The best practice is to run everything on HTTPS and if you want something different, implement somewhere else, e.g. load balancer.

Original text:

The two Roller configuration properties mentioned in the summary no longer work in Roller. Apparently they were broken when we upgraded to some newer version of Spring Security.

The relevant code is in RollerContext. initializeSecurityFeatures().

As a work-around, one may be able to configure secure login behavior by modifying the Spring Security configuration file (security.xml) directly.

Attachments

Activity

People

Assignee:: David Johnson

Reporter:: David Johnson

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 30/Dec/15 16:45

Updated:: 26/May/19 13:43

Resolved:: 30/Mar/19 13:35