1

我试过了

< Context cookies="true" crossContext="true">

< SessionCookie secure="true" httpOnly="true" />

在 context.xml 中,但在 jboss4.0 中无法识别

我在java程序中试过

String sessionid = req.getSession().getId();
 resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";Path="+req.getContextPath()+"; Secure; Domain="+req.getServerName()+"; HttpOnly");

对于第二个请求,它不允许获取会话的会话验证对象,因此它显示会话过期页面

我尝试使用过滤器

public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

                final HttpServletResponse response = (HttpServletResponse) res;

                final HttpServletRequest request = (HttpServletRequest) req;
                    System.out.println(response.containsHeader("SET-COOKIE"));
                if (response.containsHeader("Set-Cookie")) {  // *******

                    response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                            + "; HttpOnly" + (request.isSecure()?SECURE_FLAG : ""));

                }

                filterChain.doFilter(req, res);

        }

如果我使用上面的过滤器 response.containsHeader("SET-COOKIE") 或 response.containsHeader("Set-Cookie") 总是返回 false

谁能给我解决jboss 4.0 Jsessionid标志配置为安全和httponly的解决方案

4

2 回答 2

1

在初始化期间server/default/deploy/jboss-web.deployer/conf/web.xml寻找一个调用并添加设置的cookie参数的过滤器,即org.jboss.web.tomcat.filters.ReplyHeaderFilter

<filter>
  <filter-name>CommonHeadersFilter</filter-name>
  <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
  <init-param>
     <param-name>X-Powered-By</param-name>
     <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;</param-value>
  </init-param>     
    <init-param>
        <param-name>Set-Cookie</param-name>
        <param-value>Secure; HttpOnly</param-value>
    </init-param>

于 2018-04-27T19:13:02.287 回答
0

我可以确认对于 JBoss 4.0.3,它可以通过在 Filter 实现类中操作标头来工作。这对我有用:

String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

我还没有确认为什么不支持通过 context.xml 的解决方案。我没有找到任何参考资料,只有博客文章声称在 JBoss 4 中这样做的唯一方法是编程。 http://syams18.blogspot.se/2012/01/setting-httponly-in-jboss-httponly-is.html

于 2016-02-24T10:46:42.760 回答