Since Hybris 6.6.0.3 we encounter troubles with the backoffice application. When opening the backoffice at "https://localhost:9002/backoffice" Spring security sends a redirect to "https://localhost:9002/backoffice/login.zul". If cookies where not detected the session id is appended using Spring MVC matrix variables, e.g.: "https://localhost:9002/backoffice/login.zul;jsessionid=CE6AC0708F276131587063F703587B3A".
Since Spring Security/MVC 4.2.4, the use of matrix variables is prohibited by default, see: https://docs.spring.io/spring-security/site/docs/4.2.4.RELEASE/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html
Therefore, any URL that uses the matrix variables does not work with the backoffice application anymore.
We strongly need a fix that replaces the StrictHttpFirewall with the DefaultHttpFirewall implementation that was used before, as one of our customers does not allow cookies and, therefore, is not able to use the backoffice anymore.
Is SAP working on a fix for that?
Thx, Bechte