JBoss 5：使用安全的httpOnly cookie并从URL中隐藏jsessionid [英] JBoss 5: Use secure and httpOnly cookies and hide jsessionid from url

问题描述

我正在使用JBoss EAP 5.2。为了使用httpOnly和安全Cookie，我更改了context.xml文件，并添加了以下内容：

I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....

但是现在我可以在所有请求的URL中看到jsessionid 。因此，为了隐藏它，我根据RedHat网站的建议编写了一个过滤器（ https://access.redhat.com / solutions / 16169 ）

But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }

但是现在我无法登录，但出现异常：javax.faces。 application.ViewExpiredException

But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException

我缺少什么？请帮助

推荐答案

为了使用secure = true，需要安装证书，以便请求通过https

In order to use secure=true, a certificate needs to be installed so the requests go through https

这篇关于JBoss 5：使用安全的httpOnly cookie并从URL中隐藏jsessionid的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！