[
https://issues.apache.org/jira/browse/OFBIZ-11643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-11643:
------------------------------------
Description:
When doing OFBIZ-6849 I forgot to take care of the https attribute of the security element used in controllers.
It's not used anymore since we used HTTPS everywhere but in request listed in http.request-map.list property of url.properties. It's even enforced by HSTS for requests that are not listed in this property.
So I'll remove the https attribute and remove its usage in in controllers.
This is part of handling a security issue, so will be backported in supported branches when needed.
was:
When doing OFBIZ-6849 I forgot to take care of the https attribute of the security element used in controllers.
It's not used anymore since we used HTTPS everywhere but in request listed in http.request-map.list property of url.properties. It's even enforced by HSTS for requests that are not listed in this property.
So I'll remove the https attribute and remove its usage in in controllers.
> CLONE - Use only HTTPS in OFBiz
> -------------------------------
>
> Key: OFBIZ-11643
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11643> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> When doing OFBIZ-6849 I forgot to take care of the https attribute of the security element used in controllers.
> It's not used anymore since we used HTTPS everywhere but in request listed in http.request-map.list property of url.properties. It's even enforced by HSTS for requests that are not listed in this property.
> So I'll remove the https attribute and remove its usage in in controllers.
> This is part of handling a security issue, so will be backported in supported branches when needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
