我试过
< Context cookies="true" crossContext="true">
< SessionCookie secure="true" httpOnly="true" />
在context.xml中,但在jboss4.0中无法识别
String sessionid = req.getSession().getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";Path="+req.getContextPath()+"; Secure; Domain="+req.getServerName()+"; HttpOnly");
对于第二个请求,它不允许获取会话的会话验证对象,因此它显示会话过期页面
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletResponse response = (HttpServletResponse) res;
final HttpServletRequest request = (HttpServletRequest) req;
System.out.println(response.containsHeader("SET-COOKIE"));
if (response.containsHeader("Set-Cookie")) { // *******
response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()
+ "; HttpOnly" + (request.isSecure()?SECURE_FLAG : ""));
}
filterChain.doFilter(req, res);
}
如果我使用上面的过滤器response.containsHeader(“SET-COOKIE”)或response.containsHeader(“Set-Cookie”)总是返回false
任何人都可以给我解决jboss 4.0 Jsessionid标志配置为安全和httponly
答案 0 :(得分:0)
我可以确认,对于JBoss 4.0.3,它通过操作Filter实现类中的头来工作。这对我有用:
String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
我还没有确认为什么不支持通过context.xml的解决方案。我没有找到任何引用,只有博客文章声称在JBoss 4中唯一的方法是以编程方式。 http://syams18.blogspot.se/2012/01/setting-httponly-in-jboss-httponly-is.html
答案 1 :(得分:0)
在server/default/deploy/jboss-web.deployer/conf/web.xml下查找一个调用org.jboss.web.tomcat.filters.ReplyHeaderFilter的过滤器,并在初始化期间添加set cookie参数
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;</param-value>
</init-param>
<init-param>
<param-name>Set-Cookie</param-name>
<param-value>Secure; HttpOnly</param-value>
</init-param>