JBoss 5:使用安全的httpOnly cookie并从URL中隐藏jsessionid [英] JBoss 5: Use secure and httpOnly cookies and hide jsessionid from url
问题描述
我正在使用JBoss EAP 5.2。为了使用httpOnly和安全Cookie,我更改了context.xml文件,并添加了以下内容:
I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:
<Context cookies="true" crossContext="true" >
<SessionCookie secure="true" httpOnly="true" />
....
但是现在我可以在所有请求的URL中看到jsessionid 。因此,为了隐藏它,我根据RedHat网站的建议编写了一个过滤器( https://access.redhat.com / solutions / 16169 )
But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)
public class JsessionIdRemoveFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
String url = request.getRequestURL()
.append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
.toString();
response.setHeader("Location", url);
response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
return;
}
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}
但是现在我无法登录,但出现异常:javax.faces。 application.ViewExpiredException
But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException
我缺少什么?请帮助
推荐答案
为了使用secure = true,需要安装证书,以便请求通过https
In order to use secure=true, a certificate needs to be installed so the requests go through https
这篇关于JBoss 5:使用安全的httpOnly cookie并从URL中隐藏jsessionid的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!