...
[11:41:36 CDT(-0500)] <TonyUnicon1> alright
[11:41:37 CDT(-0500)] <pspaude> I'm getting spring security stuff too with it so I think you are right
[11:41:42 CDT(-0500)] <pspaude> cool
[11:41:50 CDT(-0500)] <dmccallum54> running without the protection sucks
[11:42:05 CDT(-0500)] <dmccallum54> but if we turn it on there's a race condition that blows up 1st time logins
[11:43:49 CDT(-0500)] <pspaude> If its only first time document it and let the users deal with it.
[11:43:57 CDT(-0500)] <dmccallum54> https://issues.jasig.org/browse/SSP-357
[11:44:08 CDT(-0500)] <pspaude> IE: The first time is just to get SSP ready for your login. Refresh and re-login again to complete SSP login functinality.
[11:45:14 CDT(-0500)] <dmccallum54> as log as uP is handling auth for us, we should be OK without fixation protection… and oauth doesn't use sessions
[11:45:52 CDT(-0500)] <dmccallum54> if we ever do have to run in true standalone mode we'll need to revisit the issue
[11:46:29 CDT(-0500)] <dmccallum54> we really shouldn't need sessions at all, tho. it's just b/c of uportal that they get involved at all
[11:46:33 CDT(-0500)] <dmccallum54> but anyway
[11:46:36 CDT(-0500)] <dmccallum54> horse. beaten.
[11:56:46 CDT(-0500)] <js70> not enough.
[11:57:07 CDT(-0500)] <dmccallum54> i think js70 is coming around to my … perspective… on ssp+uP
[11:57:37 CDT(-0500)] <js70> :^)