您的位置: 首页  >  技术问答  >  如何配置JBoss 4.0.*来使会话cookie HttpOnly安全吗?

如何配置JBoss 4.0.*来使会话cookie HttpOnly安全吗?

分类: 技术问答 2022-05-20 18:16:32
问题描述:

我尝试过

< Context cookies="true" crossContext="true">

< SessionCookie secure="true" httpOnly="true" />

在context.xml中,但在jboss4.0中无法识别

in context.xml but it is not recognising in jboss4.0

String sessionid = req.getSession().getId();
 resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";Path="+req.getContextPath()+"; Secure; Domain="+req.getServerName()+"; HttpOnly");

对于第二个请求,它不允许获取会话的会话验证对象,因此显示会话过期页面

for 2nd request it not allowing to get session validation object for session so it is showing session expired page

public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

                final HttpServletResponse response = (HttpServletResponse) res;

                final HttpServletRequest request = (HttpServletRequest) req;
                    System.out.println(response.containsHeader("SET-COOKIE"));
                if (response.containsHeader("Set-Cookie")) {  // *******

                    response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                            + "; HttpOnly" + (request.isSecure()?SECURE_FLAG : ""));

                }

                filterChain.doFilter(req, res);

        }

如果我使用上述过滤器,则response.containsHeader("SET-COOKIE")或response.containsHeader("Set-Cookie")始终返回false

IF I use above filter response.containsHeader("SET-COOKIE") or response.containsHeader("Set-Cookie") is always return false

任何人都可以给我解决方案,将jboss 4.0 Jsessionid标志配置为安全且只有httponly

can any one give me solution for jboss 4.0 Jsessionid flag configuration as secure and httponly

server/default/deploy/jboss-web.deployer/conf/web.xml 下code> org.jboss.web.tomcat.filters.ReplyHeaderFilter 并在初始化期间添加设置的cookie参数,即

Under server/default/deploy/jboss-web.deployer/conf/web.xml look for a filter that calls the org.jboss.web.tomcat.filters.ReplyHeaderFilter and add the set cookie params during initialization i.e

<filter>
  <filter-name>CommonHeadersFilter</filter-name>
  <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
  <init-param>
     <param-name>X-Powered-By</param-name>
     <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;</param-value>
  </init-param>     
    <init-param>
        <param-name>Set-Cookie</param-name>
        <param-value>Secure; HttpOnly</param-value>
    </init-param>

相关推荐