1 2 Previous Next 22 Replies Latest reply on Sep 26, 2012 7:56 AM by sbaum

    HttpOnly cookies in JBossWeb 2.0.1

    sbaum
    sbaum Sep 22, 2012 5:07 AM

      Hi,

       

      according to https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, JBoss 4.2.3 ships with JBossWeb 2.0.1 which implements the Servlet 2.4 specification. However, the HttpOnly attribute for cookies is supported in Servlet 3.0.

       

      To protect the JSESSIONID from being accessed by JavaScript, I need to modify the Set-Cookie header somehow.

       

      Is there any chance to upgrade JBossWeb within JBoss 4.2.3 to support this feature in a declarative manner via context.xml. Alternatively, could you point me to some tested standard-solutions like servlet filters or valves I may use to achieve the same? I'm not willing to reimplement RFC 6265 to safely parse and build Set-Cookie headers.

       

       

      Br,

      Steffen

      • 8743 Views
      • Tags:
        • 1. Re: HttpOnly cookies in JBossWeb 2.0.1
          sbaum
          sbaum Sep 24, 2012 1:34 AM (in response to sbaum)

          Nobody?

            • Actions
          • 2. Re: HttpOnly cookies in JBossWeb 2.0.1
            jfclere
            jfclere Sep 24, 2012 4:58 AM (in response to sbaum)

            HttpOnly is not supported in 2.0.x

              • Actions
            • 3. Re: HttpOnly cookies in JBossWeb 2.0.1
              sbaum
              sbaum Sep 24, 2012 5:07 AM (in response to jfclere)

              Hi Jean-Frederic,

               

              I'm sorry, but this is not the answer to my question, it's just a repetition of what I figured out by myself.

              Could you please give me some hint where to install an appropriate servlet filter within JBoss Web?

               

              Any help would be highly appreciated.

               

               

              Br,

              Steffen

                • Actions
              • 4. Re: HttpOnly cookies in JBossWeb 2.0.1
                jfclere
                jfclere Sep 24, 2012 5:15 AM (in response to sbaum)

                There is no way to get it working sorry... except you patch the 2.0.1 code with r1515 see JBPAPP-4794

                1 of 1 people found this helpful
                  • Actions
                • 5. Re: HttpOnly cookies in JBossWeb 2.0.1
                  sbaum
                  sbaum Sep 24, 2012 5:32 AM (in response to jfclere)

                  But a solution like https://community.jboss.org/message/646958#646958 could work, couldn't it (except that this particular solution overrides cookies other than JSESSIONID)? But which servlet must the filter be written for? And where to specify the filter? Thank you.

                    • Actions
                  • 6. Re: HttpOnly cookies in JBossWeb 2.0.1
                    jfclere
                    jfclere Sep 24, 2012 6:05 AM (in response to sbaum)

                    The solution in https://community.jboss.org/message/646958#646958 is a hack. You get the JSESSIONID cookie twice in the response the browser keeps the last one (but that is "luke").

                    Your idea to have another cookie created in a fillter and replacing JSESSION  is another hack (just a bit cleaner may be).

                    The filter must be a global one (jboss-web.deployer/conf/web.xm) if that doesn't work use a valve instead.

                    1 of 1 people found this helpful
                      • Actions
                    • 7. Re: HttpOnly cookies in JBossWeb 2.0.1
                      sbaum
                      sbaum Sep 24, 2012 6:30 AM (in response to jfclere)

                      Ok, I checked out JBOSSWEB_2_0_1_GA and JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from anonymous SVN now. Now I'm trying to create a patch from the latter, revision 1515 and apply it to the first. But how does the patch creation work with Subclipse or Tortoise SVN? Sorry, this is the very first time. Could you help me once again? Or is there already a publicly available patch file which may be simply applied?

                        • Actions
                      • 8. Re: HttpOnly cookies in JBossWeb 2.0.1
                        jfclere
                        jfclere Sep 24, 2012 7:16 AM (in response to sbaum)

                        the r1515 doesn't apply correctly to JBOSSWEB_2_0_1_GA so you have to do a part of the patch by hands.

                        It is probably more easy to build JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from svn and try  replace the jbossweb.jar of AS 4.2.3 by the one producted by:

                        ant download

                        ant

                          • Actions
                        • 9. Re: HttpOnly cookies in JBossWeb 2.0.1
                          sbaum
                          sbaum Sep 24, 2012 8:11 AM (in response to jfclere)

                          Ok, after building the patched version I copied jbossweb.jar to jboss-web.deployer. However, it seems that the HttpOnly flag is ignored. How do you enable it in the patched version? I've tried <Context cookies="true" crossContext="true" useHttpOnly="true"> as well as    <SessionCookie secure="true" useHttpOnly="true" />  in context.xml but unfortunately neither worked.

                            • Actions
                          • 10. Re: HttpOnly cookies in JBossWeb 2.0.1
                            sbaum
                            sbaum Sep 24, 2012 12:23 PM (in response to sbaum)

                            After doing the build again from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 I get this exception:

                             

                            18:15:19,050 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing

                            java.lang.NoSuchMethodError: org.apache.catalina.Container.getLogger()Lorg/jboss/logging/Logger;

                            at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(

                            ClusteredSingleSignOn.java:610)

                             

                             

                             

                            The class ClusteredSingleSignOn is normally contained in jbossweb-service.jar which is not contained in the build output however. What is going wrong here?

                              • Actions
                            • 11. Re: HttpOnly cookies in JBossWeb 2.0.1
                              sbaum
                              sbaum Sep 25, 2012 12:51 AM (in response to sbaum)

                              Logging was changed from JBoss Logging to Commons Logging? But where do I get the jbossweb-service.jar which uses Commons Logging?

                                • Actions
                              • 12. Re: HttpOnly cookies in JBossWeb 2.0.1
                                sbaum
                                sbaum Sep 25, 2012 2:47 AM (in response to sbaum)

                                Due to the logging conflict I finally decided to patch the eight files from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794, revision 1515 manually into JBOSSWEB_2_0_1_GA. Everything compiles well.

                                 

                                However, when accessing the webapp the following header is being set:

                                Set-Cookie: JSESSIONID=FOO; Path=/; Secure

                                JSESSIONID=FOO; Path=/

                                 

                                The JSESSIONID cookie is set twice from two different call hierarchies:

                                1.

                                org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202
                                org.apache.catalina.connector.Response.addCookieInternal(org.apache.tomcat.util.http.TomcatCookie) line: 845
                                org.apache.catalina.connector.Request.doGetSession(boolean) line: 1979

                                2.

                                org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202
                                org.apache.catalina.connector.Response.addCookieInternal(javax.servlet.http.Cookie) line: 812
                                org.apache.catalina.connector.Response.addCookie(javax.servlet.http.Cookie) line: 786

                                 

                                This is because for some reason Response.addCookieInternal, which is an overloaded method (TomcatCookie or Cookie as single parameter), gets called twice.

                                 

                                This drives me crazy, do you have any suggestions?

                                  • Actions
                                • 13. Re: HttpOnly cookies in JBossWeb 2.0.1
                                  sbaum
                                  sbaum Sep 25, 2012 2:50 AM (in response to sbaum)

                                  Additionally, SessionCookie.httpOnly is not initialized as defined in context.xml although ContextRuleSet.addRuleInstances(Digester) seems to do the job...

                                    • Actions
                                  • 14. Re: HttpOnly cookies in JBossWeb 2.0.1
                                    jfclere
                                    jfclere Sep 25, 2012 3:32 AM (in response to sbaum)

                                    For SessionCookie.httpOnly has you patched the code by jhangs just set it to true in the code.

                                     

                                    With your previous comment I guess you have the cookie twice in the response correct?

                                      • Actions
                                    1 2 Previous Next