[
https://issues.apache.org/jira/browse/ROL-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14371246#comment-14371246
]
Kohei Nozaki commented on ROL-2058:
-----------------------------------
The cause of that error is the definition of struts.devMode=true in
struts.properties
(http://stackoverflow.com/questions/21018018/unexpected-exception-caught-setting-xxx-on-class-xxx-error-setting-expressio).
I've never set it to true so I haven't noticed that. is there any bad effect
on this?
IMHO 1 hour timeout is good enough because now the clock restarts at every page
transition by this fix. is there still any problematic situation?
> No salt renewal on POST request
> -------------------------------
>
> Key: ROL-2058
> URL: https://issues.apache.org/jira/browse/ROL-2058
> Project: Apache Roller
> Issue Type: Bug
> Components: User Interface - General
> Affects Versions: 5.1.1
> Environment: WildFly 8.2.0.Final
> Reporter: Kohei Nozaki
> Assignee: David Johnson
> Fix For: 5.1.2
>
> Attachments: ROL-2058.patch
>
>
> Roller continues using previous salt value which sent from client as POST
> parameter. this leads fixing of salt value in the form element of html, and
> brings ServletException("Security Violation") by ValidateSaltFilter at some
> use cases (e.g. long-term editing over 60 minutes) unexpectedly.
> Seems to that the cause is existence of
> org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method.
> this overwrites salt with previous value which sent by client as POST
> parameter. it's unnecessary behavior because new salt value comes through
> preceding invocation of UIAction#setRequest(Map).
> Original discussion in the mailing list:
> http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
