Details
-
Type:
Bug
-
Status: RESOLVED
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 19.0
-
Labels:
-
12 status:Please Merge
-
11 status:Please Merge
-
Property addition/change required:Yes
-
Previous Issue Keys:KNL-1590
-
Test Plan:
Description
Sometimes we need to allow the session id to be specified on a URL using the sakai.session parameter. There is currently a required configuration parameter to allow this:
session.parameter.allow=true
This is normally defaulted to false since it might be exploited. Since this is required in certain specific situations like the POST return from a Content Item selection and in Lessons we need a finer grain way to have this on by default but only for certain URIs.
So we add a new configuration option that is a regular expression to match the URIs that always allow sakai.session with the following default:
session.parameter.allow.bypass=sakai\.basiclti\.admin\.helper\.helper
This is a regex so you can add more URI matches with vertical bars (|) - but this value as default makes it so ContentItem works.
You can turn this off completely (and break ContentItem) with this setting:
session.parameter.allow.bypass=none