1 2 Previous Next 22 Replies Latest reply on Sep 26, 2012 7:56 AM by sbaum

    HttpOnly cookies in JBossWeb 2.0.1

    sbaum

      Hi,

       

      according to https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, JBoss 4.2.3 ships with JBossWeb 2.0.1 which implements the Servlet 2.4 specification. However, the HttpOnly attribute for cookies is supported in Servlet 3.0.

       

      To protect the JSESSIONID from being accessed by JavaScript, I need to modify the Set-Cookie header somehow.

       

      Is there any chance to upgrade JBossWeb within JBoss 4.2.3 to support this feature in a declarative manner via context.xml. Alternatively, could you point me to some tested standard-solutions like servlet filters or valves I may use to achieve the same? I'm not willing to reimplement RFC 6265 to safely parse and build Set-Cookie headers.

       

       

      Br,

      Steffen

        • 1. Re: HttpOnly cookies in JBossWeb 2.0.1
          sbaum

          Nobody?

          • 2. Re: HttpOnly cookies in JBossWeb 2.0.1
            jfclere

            HttpOnly is not supported in 2.0.x

            • 3. Re: HttpOnly cookies in JBossWeb 2.0.1
              sbaum

              Hi Jean-Frederic,

               

              I'm sorry, but this is not the answer to my question, it's just a repetition of what I figured out by myself.

              Could you please give me some hint where to install an appropriate servlet filter within JBoss Web?

               

              Any help would be highly appreciated.

               

               

              Br,

              Steffen

              • 4. Re: HttpOnly cookies in JBossWeb 2.0.1
                jfclere

                There is no way to get it working sorry... except you patch the 2.0.1 code with r1515 see JBPAPP-4794

                1 of 1 people found this helpful
                • 5. Re: HttpOnly cookies in JBossWeb 2.0.1
                  sbaum

                  But a solution like https://community.jboss.org/message/646958#646958 could work, couldn't it (except that this particular solution overrides cookies other than JSESSIONID)? But which servlet must the filter be written for? And where to specify the filter? Thank you.

                  • 6. Re: HttpOnly cookies in JBossWeb 2.0.1
                    jfclere

                    The solution in https://community.jboss.org/message/646958#646958 is a hack. You get the JSESSIONID cookie twice in the response the browser keeps the last one (but that is "luke").

                    Your idea to have another cookie created in a fillter and replacing JSESSION  is another hack (just a bit cleaner may be).

                    The filter must be a global one (jboss-web.deployer/conf/web.xm) if that doesn't work use a valve instead.

                    1 of 1 people found this helpful
                    • 7. Re: HttpOnly cookies in JBossWeb 2.0.1
                      sbaum

                      Ok, I checked out JBOSSWEB_2_0_1_GA and JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from anonymous SVN now. Now I'm trying to create a patch from the latter, revision 1515 and apply it to the first. But how does the patch creation work with Subclipse or Tortoise SVN? Sorry, this is the very first time. Could you help me once again? Or is there already a publicly available patch file which may be simply applied?

                      • 8. Re: HttpOnly cookies in JBossWeb 2.0.1
                        jfclere

                        the r1515 doesn't apply correctly to JBOSSWEB_2_0_1_GA so you have to do a part of the patch by hands.

                        It is probably more easy to build JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 from svn and try  replace the jbossweb.jar of AS 4.2.3 by the one producted by:

                        ant download

                        ant

                        • 9. Re: HttpOnly cookies in JBossWeb 2.0.1
                          sbaum

                          Ok, after building the patched version I copied jbossweb.jar to jboss-web.deployer. However, it seems that the HttpOnly flag is ignored. How do you enable it in the patched version? I've tried <Context cookies="true" crossContext="true" useHttpOnly="true"> as well as    <SessionCookie secure="true" useHttpOnly="true" />  in context.xml but unfortunately neither worked.

                          • 10. Re: HttpOnly cookies in JBossWeb 2.0.1
                            sbaum

                            After doing the build again from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794 I get this exception:

                             

                            18:15:19,050 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing

                            java.lang.NoSuchMethodError: org.apache.catalina.Container.getLogger()Lorg/jboss/logging/Logger;

                            at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(

                            ClusteredSingleSignOn.java:610)

                             

                             

                             

                            The class ClusteredSingleSignOn is normally contained in jbossweb-service.jar which is not contained in the build output however. What is going wrong here?

                            • 11. Re: HttpOnly cookies in JBossWeb 2.0.1
                              sbaum

                              Logging was changed from JBoss Logging to Commons Logging? But where do I get the jbossweb-service.jar which uses Commons Logging?

                              • 12. Re: HttpOnly cookies in JBossWeb 2.0.1
                                sbaum

                                Due to the logging conflict I finally decided to patch the eight files from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794, revision 1515 manually into JBOSSWEB_2_0_1_GA. Everything compiles well.

                                 

                                However, when accessing the webapp the following header is being set:

                                Set-Cookie: JSESSIONID=FOO; Path=/; Secure

                                JSESSIONID=FOO; Path=/

                                 

                                The JSESSIONID cookie is set twice from two different call hierarchies:

                                1.

                                org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202
                                org.apache.catalina.connector.Response.addCookieInternal(org.apache.tomcat.util.http.TomcatCookie) line: 845
                                org.apache.catalina.connector.Request.doGetSession(boolean) line: 1979

                                2.

                                org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202
                                org.apache.catalina.connector.Response.addCookieInternal(javax.servlet.http.Cookie) line: 812
                                org.apache.catalina.connector.Response.addCookie(javax.servlet.http.Cookie) line: 786

                                 

                                This is because for some reason Response.addCookieInternal, which is an overloaded method (TomcatCookie or Cookie as single parameter), gets called twice.

                                 

                                This drives me crazy, do you have any suggestions?

                                • 13. Re: HttpOnly cookies in JBossWeb 2.0.1
                                  sbaum

                                  Additionally, SessionCookie.httpOnly is not initialized as defined in context.xml although ContextRuleSet.addRuleInstances(Digester) seems to do the job...

                                  • 14. Re: HttpOnly cookies in JBossWeb 2.0.1
                                    jfclere

                                    For SessionCookie.httpOnly has you patched the code by jhangs just set it to true in the code.

                                     

                                    With your previous comment I guess you have the cookie twice in the response correct?

                                    1 2 Previous Next