本文详细介绍了如何在Context.xml中调整配置,包括启用Cookie HttpOnly和Secure属性,以及设置会话持久性,同时提供了实例代码来实现JSESSIONID的回写和安全性增强。
Cookie HttpOnly Secure
1. Change the configuration on context.xml
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
<!-- Session persistence is disable by default. To enable for all web
apps set the pathname to a non-empty value:
<Manager pathname="SESSIONS.ser" />
To enable session persistence for a single web app, add a
WEB-INF/context.xml
-->
<Manager pathname="" />
<!-- Install an InstanceListener to handle the establishment of the run-as
role for servlet init/destroy events.
-->
<InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>
</Context>
2. Use response to write cookie back
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
for (Cookie cookie : cookies){
if (cookie.getName().equalsIgnoreCase("JSESSIONID")){
((HttpServletResponse)response).setHeader("SET-COOKIE", String.format("%s=%s;Path=/storename;HttpOnly", cookie.getName(), session.getId()));
cookie.setSecure(true);
}else{
((HttpServletResponse)response).setHeader("SET-COOKIE", String.format("%s=%s;Path=/storename;HttpOnly", cookie.getName(), cookie.getValue()));
cookie.setSecure(true);
}
}
Or
HttpSession session = ((HttpServletRequest)request).getSession(false);
if(null != session && Utility.isValidString(session.getId())){
String sessionid = session.getId();
Log.info(this, "session create time: "+session.getCreationTime());
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly");
}
Or
HttpSession session = ((HttpServletRequest)request).getSession(false);
if(null != session && Utility.isValidString(session.getId())){
String sessionid = session.getId();
Log.info(this, "session create time: "+session.getCreationTime());
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly;Path=/storename;secure=true");
}
references:
https://community.jboss.org/thread/165079
http://www.iteye.com/problems/80699
1. Change the configuration on context.xml
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
<!-- Session persistence is disable by default. To enable for all web
apps set the pathname to a non-empty value:
<Manager pathname="SESSIONS.ser" />
To enable session persistence for a single web app, add a
WEB-INF/context.xml
-->
<Manager pathname="" />
<!-- Install an InstanceListener to handle the establishment of the run-as
role for servlet init/destroy events.
-->
<InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>
</Context>
2. Use response to write cookie back
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
for (Cookie cookie : cookies){
if (cookie.getName().equalsIgnoreCase("JSESSIONID")){
((HttpServletResponse)response).setHeader("SET-COOKIE", String.format("%s=%s;Path=/storename;HttpOnly", cookie.getName(), session.getId()));
cookie.setSecure(true);
}else{
((HttpServletResponse)response).setHeader("SET-COOKIE", String.format("%s=%s;Path=/storename;HttpOnly", cookie.getName(), cookie.getValue()));
cookie.setSecure(true);
}
}
Or
HttpSession session = ((HttpServletRequest)request).getSession(false);
if(null != session && Utility.isValidString(session.getId())){
String sessionid = session.getId();
Log.info(this, "session create time: "+session.getCreationTime());
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly");
}
Or
HttpSession session = ((HttpServletRequest)request).getSession(false);
if(null != session && Utility.isValidString(session.getId())){
String sessionid = session.getId();
Log.info(this, "session create time: "+session.getCreationTime());
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly;Path=/storename;secure=true");
}
references:
https://community.jboss.org/thread/165079
http://www.iteye.com/problems/80699
扫一扫
716
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
