Hi Team, here are our SSL configuration options in roller.properties:
# Enables HTTPS for login page only
securelogin.enabled=false
# Enable scheme enforcement?
# Scheme enforcement ensures that specific URLs are viewed only via HTTPS
schemeenforcement.enabled=false
# URL patterns that require HTTPS
schemeenforcement.https.urls=/roller_j_security_check,\
/roller-ui/login-redirect.jsp,\
/roller-ui/login.rol,\
/roller-ui/register.rol,/roller-ui/register!save.rol,\
/roller-ui/profile.rol,/roller-ui/profile!save.rol,\
/roller-ui/admin/userAdmin.rol,\
/roller-ui/admin/createUser.rol,/roller-ui/admin/createUser!save.rol,\
/roller-ui/authoring/userdata,\
/roller-ui/authoring/membersInvite.rol,/roller-ui/authoring/membersInvite!save.rol
I'm not sure if we need "securelogin.enabled". So long as
schemeenforcement.enabled is set to true and the login URLs are listed
in schemeenforcement.https.urls, that should be all that is needed to
enforce SSL on the login page. If it were the case someone wanted
*only* the login pages to be under SSL (strange because the registration
page also usually stores the password so that should also be encrypted),
that can be done by removing the other pages from
schemeenforcement.https.urls.
These values are being used only in classes SchemeEnforcementFilter and
RollerContext. The former requires *both* properties to be set before
it does anything--a bug probably, but one that strongly suggests there's
no reason to have both values. RollerContext, OTOH, will force https on
the login page only if securelogin.enabled is set. I think we can
equivalently change RollerContext to force https if
"schemeenforcement.enabled" is true (potentially whether or not the
login URL is listed in schemeenforcement.https.urls), allowing us to
remove securelogin.enabled.
Unsure here, but should we remove the redundancy by dropping
securelogin.enabled and possibly also rename schemeenforcement.enabled
and schemeenforcement.https.urls to something that more clearly
specifies what it's for: https.enabled and https.urls or
transportencryption.enabled and transportencryption.urls or?
Regards,
Glen
