Question

我正在使用JBoss EAP 5.2。为了使用httpOnly和安全cookie，我更改了context.xml文件：

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....

但现在我可以在所有请求中看到URL中的jsessionid。所以为了隐藏它，我按照RedHat网站（https://access.redhat.com/solutions/16169）中的建议编写了一个过滤器

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }

但是现在我无法登录，我得到一个例外：javax.faces.application.ViewExpiredException

我错过了什么？请帮忙

Answer 1

为了使用secure = true，需要安装证书，以便请求通过https

JBoss 5：使用安全和httpOnly cookie并从URL隐藏jsessionid

1 个答案: