我们遇到了在启用了HTTPOnlyCookies设置的情况下在Websphere 6.1.0.31下运行的应用程序的问题。 问题在于Applet通过HttpURLConnection与Servlet建立连接。 Applet通过参数从JSP页面传递JSESSION ID。 在HttpURLConnect调用中,我们设置Cookie标头并包含JSESSION ID。 Servlet不使用传递的cookie,将创建一个新会话并导致错误。 禁用HTTPOnlyCookies后,此工作没有任何错误。设置为(com.ibm.ws.webcontainer.HTTPOnlyCookies = *)。
下面是更改的代码,以显示我们如何执行此任务。我只更改了代码以删除与项目相关的任何信息,因为这是在生产软件中。
// The Applet
public class TheApplet extends JApplet {
private String servletURL;
private String sessionId;
public void init() {
this.sessionId = getParameter(SESSION_ID_PARAM);
this.servletURL = "https://THEURL/CONTEXT/TheServlet.do?params=params";
}
public void start () {
Thread t = new Thread(new Runnable() {
public void run() {
HttpClient httpClient = new HttpClient(this.servletURL, this.sessionId);
Map theMap = httpClient.getData();
}
});
t.start();
}
}
public class HttpClient {
public Map getData() {
ObjectInputStream ois = doGet(this.servletURL, this.sessionId);
/*
... Process return .. error happens before processing
*/
}
private ObjectInputStream doGet(String servletURL, String sessionId) {
URL url = new URL(servletURL);
HttpURLConnection httpConn = (HttpURLConnection)url.openConnection();
httpConn.setDoInput (true);
httpConn.setDoOutput (true);
httpConn.setRequestProperty("Cookie", "JSESSIONID="+sessionId);
httpConn.setUseCaches (true);
return new ObjectInputStream (httpConn.getInputStream ());
}
}
// The Servlet
// Struts 1.2.9
import org.apache.struts.actions.DispatchAction;
public class TheServletAction extends DispatchAction {
public ActionForward performGetData(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) {
Map theMap = new HashMap();
/*
... db call and build Map
*/
TheResponseWriter.writeObjectIntoResponse(theMap, response);
}
}
public class TheResponseWriter {
public static void writeObjectIntoResponse(Object oObjToWrite, HttpServletResponse response) {
ServletOutputStream out = response.getOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(out);
response.setContentType("application/octet-stream");
oos.writeObject(oObjToWrite);
oos.flush();
oss.close();
out.close();
}
}
以下是我在applet的Java控制台跟踪文件中看到的错误。再次只更改小信息,我也注意到在WASReqURL中它没有'主机名'
network: Cache entry not found [url: https://THEURL/CONTEXT/TheServlet.do?params=params, version: null]
network: Connecting https://THEURL/CONTEXT/TheServlet.do?params=params with proxy=DIRECT
network: Connecting socket://THEURL:443 with proxy=DIRECT
network: Server https://THEURL/CONTEXT/TheServlet.do?params=params requesting to set-cookie with "WASReqURL=https:///CONTEXT/TheServlet.do?params=params; HTTPOnly; Path=/"
network: Cache entry not found [url: https://THEURL/CONTEXT/index.jsp, version: null]
network: Connecting https://THEURL/CONTEXT/index.jsp with proxy=DIRECT
network: Connecting socket://THEURL:443 with proxy=DIRECT
network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=; HTTPOnly; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Domain=THEURL"
network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=dfdsfdsafds3q32-sad9287287:163bb19cr; HTTPOnly; Path=/"
- Wed Dec 14 09:05:58 EST 2011 - ERROR - Thread-8 - com.the.package.HttpClient - java.io.StreamCorruptedException: invalid stream header: 0A0A0A0A
感谢您的帮助,如果您需要帮助,请告知我们。我找不到任何有用的东西。
_ 添加更多详情
在生产线上(httpConn.setRequestProperty(“Cookie”,“JSESSIONID =”+ sessionId); )甚至不存在,并且该过程正常。但我们的客户想要在他们的Websphere上启用httpOnly设置,但是遇到applet而不是工作。我可能已经找到了为什么传递会话不起作用的原因。在查看cookie标头时,我注意到标头中的JSESSIONID与作为applet的param设置的标题不同。调查我发现有关集群环境的JSESSIONID格式的信息。 https://www.ibm.com/developerworks/mydeveloperworks/blogs/Dougclectica/entry/websphere_session_ids22?lang=en,即CacheID + SessionID +:+ CloneID。我正在试图找出如何在JSP页面中获取这些值。