如何配置JBoss 4.0.*来使会话cookie HttpOnly安全吗? [英] How to configure JBoss 4.0.* to make session cookie HttpOnly and secure?
问题描述
我尝试过
< Context cookies="true" crossContext="true">
< SessionCookie secure="true" httpOnly="true" />
在context.xml中,但在jboss4.0中无法识别
in context.xml but it is not recognising in jboss4.0
String sessionid = req.getSession().getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";Path="+req.getContextPath()+"; Secure; Domain="+req.getServerName()+"; HttpOnly");
对于第二个请求,它不允许获取会话的会话验证对象,因此显示会话过期页面
for 2nd request it not allowing to get session validation object for session so it is showing session expired page
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletResponse response = (HttpServletResponse) res;
final HttpServletRequest request = (HttpServletRequest) req;
System.out.println(response.containsHeader("SET-COOKIE"));
if (response.containsHeader("Set-Cookie")) { // *******
response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()
+ "; HttpOnly" + (request.isSecure()?SECURE_FLAG : ""));
}
filterChain.doFilter(req, res);
}
如果我使用上述过滤器,则response.containsHeader("SET-COOKIE")或response.containsHeader("Set-Cookie")始终返回false
IF I use above filter response.containsHeader("SET-COOKIE") or response.containsHeader("Set-Cookie") is always return false
任何人都可以给我解决方案,将jboss 4.0 Jsessionid标志配置为安全且只有httponly
can any one give me solution for jboss 4.0 Jsessionid flag configuration as secure and httponly
推荐答案
在 server/default/deploy/jboss-web.deployer/conf/web.xml
下code> org.jboss.web.tomcat.filters.ReplyHeaderFilter 并在初始化期间添加设置的cookie参数,即
Under server/default/deploy/jboss-web.deployer/conf/web.xml
look for a filter that calls the org.jboss.web.tomcat.filters.ReplyHeaderFilter
and add the set cookie params during initialization i.e
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;</param-value>
</init-param>
<init-param>
<param-name>Set-Cookie</param-name>
<param-value>Secure; HttpOnly</param-value>
</init-param>
这篇关于如何配置JBoss 4.0.*来使会话cookie HttpOnly安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!