Java Web应用程序中会话cookie的安全标志 [英] Secure flag on session cookies in a Java Web Application

问题描述

我正在尝试将安全标志添加到Java Web应用程序中的会话cookie中.但是，标准方法存在一个问题，即当安全性为true时，即使http请求也将获得安全性标志.这意味着Web服务器不会在后续请求中获取Cookie，因此我们将进行新的会话.它可以在HTTPS上正常工作.所涉及的应用程序具有来自不同域的多个入口点，以及一些内部入口点以及内部IP.有些是HTTPS，有些是HTTP.我需要能够为HTTPS请求(但HTTP请求)设置安全标志.不过，这需要按域完成，而不是按协议完成，因为所有HTTPS请求都通过负载均衡器进行SSL卸载，因此，请求到达Web服务器(即jboss 7.1.1)时，它就是HTTP，即使客户端将其视为HTTPS并且需要会话cookie中的安全标志.这是我尝试过的配置:

I'm trying to add the secure flag to the session cookie in a Java web application. The standard approach however presents a problem, in that when secure is true, even http requests will get the secure flag. This means that the web server does not pick up on the cookie on subsiquent requests and we end up with a new session. It works fine on HTTPS. The application in question has multiple entry points, from different domains and some internal entry points as well with an internal IP. Some are HTTPS, some are HTTP. I need to be able to get the secure flag to be set for HTTPS requests, but HTTP ones. This needs to be done by domain though, rather than by protocol because, all the HTTPS requests go through a load balancer that does SSL offloading, so by the request arrives at the web server (which is jboss 7.1.1) it is HTTP, even though the client would see it as HTTPS and would need the secure flag in the session cookie. Here is the config I tried:

    <session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

但是我必须将secure设置为false，否则HTTP入口点都不起作用.

I have had to set secure to false however, as otherwise none of the HTTP entry points work.

推荐答案

这可以通过自定义阀门来实现，该阀门为请求对象的创建提供了一个钩子.如果Servlet请求是安全的，则将在cookie中自动设置安全标志(无web.xml设置).可以通过阀门在请求中设置安全标记.

This can be acheived with a custom valve, that provides a hook into the creation of the request object. The secure flag is set in a cookie automatically (without the web.xml setting) if the servlet request is secure. Setting the secure flag in the request can be done from the valve.

负载平衡器添加到阀头检测到的并相应设置安全性的标题Front-End-Https上.

The load balancer adds on the header Front-End-Https which the valve detects and sets secure accordingly.

这是阀门类别:

import java.io.IOException;

import javax.servlet.ServletException;

import org.apache.catalina.Valve;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;

public class SecureRequestModifyingValve extends ValveBase
{
    private static final String LB_HTTPS_HEADER = "Front-End-Https";

    @Override
    public void invoke(final Request request, final Response response) throws IOException, ServletException
    {
        final String httpsHeader = request.getHeader(LB_HTTPS_HEADER);
        request.setSecure(httpsHeader != null && httpsHeader.equalsIgnoreCase("on"));
        getNext().invoke(request, response);
    }
}

通过在WAR内的jboss-web.xml中添加以下内容，我有了jboss来使用它.

I have got jboss to use it by adding the following to jboss-web.xml within the WAR.

<valve>
    <class-name>com.lifecycle.framework.valve.SecureRequestModifyingValve
    </class-name>
</valve>

我想象其他容器也可以让您做类似的事情.

I imagine other containers let you do something similar as well.

这篇关于Java Web应用程序中会话cookie的安全标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！