Bug 867507
Summary: | required to enter credentials twice | ||
---|---|---|---|
Product: | [Community] PressGang CCMS | Reporter: | Eric Johnson <ejohnson> |
Component: | Login-service | Assignee: | pressgang-ccms-dev |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.0 | CC: | lnewson, pkennedy |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Mac OS | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-01 23:53:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Eric Johnson
2012-10-17 15:52:15 UTC
I've had a look into this and haven't been able to fix it properly at this stage. The cause is that two sessions are used between HTTPS and HTTP. Seam does allow sharing the data between the two sessions on the server, however from what I've been able to find this only happens if the session already exists and if the session has to be created then it doesn't work. That is the reason that the second login will work as the first time the session doesn't exist for the HTTP scheme and when you login it creates it, but doesn't contain the information the Identity information and assumes you aren't logged in and redirects you back to the login page. When logging in the second time the Identity is shared to the session and therefore lets you continue to view the unsecured content. As such I've found two ways to get around this. The first is to make all pages use the HTTPS protocol and the second is to trick seam to create the session when creating the HTTPS session (see: http://www.seamframework.org/Documentation/HttpHttpsSessionLostOnLogout). The second I haven't tested, as I believe the first is the better option anyways. I'll bring it up at our team meeting on Monday and see what is preferred. The outcome from our meeting today is to use HTTPS for the entire application. Fixed in build 20121111-0821. The fix is now live as of 9.30pm +10GMT. |