--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.
Hi Riaz,Do you have some bypassing patterns like the following [1]?<!-- Channel Manager requests may bypass authentication --><http pattern="/_rp/**" security="none"/><http pattern="/_cmsrest/**" security="none"/><http pattern="/_cmsinternal/**" security="none"/>What we normally have done is simply to exclude any requests to channel manager preview URLs in spring security because channel manager prohibits access from non-CMS-authenticated users already.If you have those bypassing patterns already, one can be suspicious if there's any new request URL pattern from channel manager in v11. In that case, we'll need to add more patterns there.Regards,Woonsan
On Thu, Oct 20, 2016 at 10:09 AM, Riaz Tai <riaz...@gmail.com> wrote:
Hi,Not sure if this is the correct forum to discuss hst-springsec or the https://forge.onehippo.org site.Nevertheless, we have been using hst-springsec for authenticating users on our website. The channel manager would also allow users to log into the site and then render the homepage.Now that we have upgraded to Hippo 11.0.2, the channel manager is throwing an exception after site login when we try to redirect to the homepage. After spending some time debugging, I've identified the cause of the issue.When we login to the CMS there is new HSTSESSIONID cookie that is created. When we access the site via the Channel Manager, a JSESSIONID cookie is returned. The HttpSession that this JSESSIONID corresponds to, has a CmsSessionContext attribute that identifies the CMS user among other things. When we login to the site, the Spring Security SessionFixationProtectionStrategy invalidates the existing HttpSession and creates a new one, returning a new JSESSIONID. It copies over session attributes but.....as the CmsSessionContextImpl receives notification about the HttpSession invalidation, it correctly detaches itself from the HttpSession. So when the session attributes are copied over, the CmsSessionContext can no longer identify the CMS user and the CmsSecurityValve throws a NullPointerException at line 144 as cmsSessionContext.getRepositoryCredentials() returns null.Just wondering whether anyone has encountered a similar issue?ThanksRiaz
--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-c...@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.