HttpOnly is not supported in 2.0.x
I'm sorry, but this is not the answer to my question, it's just a repetition of what I figured out by myself.
Could you please give me some hint where to install an appropriate servlet filter within JBoss Web?
Any help would be highly appreciated.
1 of 1 people found this helpful
There is no way to get it working sorry... except you patch the 2.0.1 code with r1515 see JBPAPP-4794
But a solution like https://community.jboss.org/message/646958#646958 could work, couldn't it (except that this particular solution overrides cookies other than JSESSIONID)? But which servlet must the filter be written for? And where to specify the filter? Thank you.
1 of 1 people found this helpful
The solution in https://community.jboss.org/message/646958#646958 is a hack. You get the JSESSIONID cookie twice in the response the browser keeps the last one (but that is "luke").
Your idea to have another cookie created in a fillter and replacing JSESSION is another hack (just a bit cleaner may be).
The filter must be a global one (jboss-web.deployer/conf/web.xm) if that doesn't work use a valve instead.
Ok, I checked out JBOSSWEB_2_0_1_GA and JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from anonymous SVN now. Now I'm trying to create a patch from the latter, revision 1515 and apply it to the first. But how does the patch creation work with Subclipse or Tortoise SVN? Sorry, this is the very first time. Could you help me once again? Or is there already a publicly available patch file which may be simply applied?
the r1515 doesn't apply correctly to JBOSSWEB_2_0_1_GA so you have to do a part of the patch by hands.
It is probably more easy to build JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from svn and try replace the jbossweb.jar of AS 4.2.3 by the one producted by:
Ok, after building the patched version I copied jbossweb.jar to jboss-web.deployer. However, it seems that the HttpOnly flag is ignored. How do you enable it in the patched version? I've tried <Context cookies="true" crossContext="true" useHttpOnly="true"> as well as <SessionCookie secure="true" useHttpOnly="true" /> in context.xml but unfortunately neither worked.
After doing the build again from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 I get this exception:
18:15:19,050 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing
The class ClusteredSingleSignOn is normally contained in jbossweb-service.jar which is not contained in the build output however. What is going wrong here?
Logging was changed from JBoss Logging to Commons Logging? But where do I get the jbossweb-service.jar which uses Commons Logging?
Due to the logging conflict I finally decided to patch the eight files from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794, revision 1515 manually into JBOSSWEB_2_0_1_GA. Everything compiles well.
However, when accessing the webapp the following header is being set:
Set-Cookie: JSESSIONID=FOO; Path=/; Secure
The JSESSIONID cookie is set twice from two different call hierarchies:
org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202 org.apache.catalina.connector.Response.addCookieInternal(org.apache.tomcat.util.http.TomcatCookie) line: 845 org.apache.catalina.connector.Request.doGetSession(boolean) line: 1979
org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202 org.apache.catalina.connector.Response.addCookieInternal(javax.servlet.http.Cookie) line: 812 org.apache.catalina.connector.Response.addCookie(javax.servlet.http.Cookie) line: 786
This is because for some reason Response.addCookieInternal, which is an overloaded method (TomcatCookie or Cookie as single parameter), gets called twice.
This drives me crazy, do you have any suggestions?
Additionally, SessionCookie.httpOnly is not initialized as defined in context.xml although ContextRuleSet.addRuleInstances(Digester) seems to do the job...
For SessionCookie.httpOnly has you patched the code by jhangs just set it to true in the code.
With your previous comment I guess you have the cookie twice in the response correct?