[
https://issues.apache.org/jira/browse/OFBIZ-11643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17098845#comment-17098845 ]
ASF subversion and git services commented on OFBIZ-11643:
---------------------------------------------------------
Commit a8c5c84cec1b1204d4aeb65eed68505f402410ef in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a8c5c84 ]
Fixed: CLONE - Use only HTTPS in OFBiz
(OFBIZ-11643)
When doing OFBIZ-6849 I forgot to take care of the https attribute of the
security element used in controllers.
It's not used anymore since we used HTTPS everywhere but in request listed in
http.request-map.list property of url.properties. It's even enforced by HSTS for
requests that are not listed in this property.
This removes the https attribute and removes its usage in in controllers.
> CLONE - Use only HTTPS in OFBiz
> -------------------------------
>
> Key: OFBIZ-11643
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11643> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> When doing OFBIZ-6849 I forgot to take care of the https attribute of the security element used in controllers.
> It's not used anymore since we used HTTPS everywhere but in request listed in http.request-map.list property of url.properties. It's even enforced by HSTS for requests that are not listed in this property.
> So I'll remove the https attribute and remove its usage in in controllers.
> This is part of handling a security issue, so will be backported in supported branches when needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
