-
15. Re: HttpOnly cookies in JBossWeb 2.0.1
BTW: any reason you can't move to a newer version of AS or to a subscription and get a supported version that fixes the problem?
-
16. Re: HttpOnly cookies in JBossWeb 2.0.1
Ok, now it's working. The following steps must be performed:
1. Check out JBOSSWEB_2_0_1_GA from SVN.
2. Manually merge the following files from JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794, revision 1515:
- org.apache.catalina.Context.java
- org.apache.catalina.connector.Request.java
- org.apache.catalina.connector.Response.java
- org.apache.catalina.core.StandardContext.java
- org.apache.catalina.deploy.SessionCookie.java
- org.apache.catalina.startup.ContextRuleSet.java
- org.apache.tomcat.util.http.ServerCookie.java
- org.apache.tomcat.util.http.TomcatCookie.java
3. Execute ant targets:
- ant download
- ant
4. Substitute output/jbossweb.jar and output/jbossweb-extras.jar for jboss-web.deployer/jbossweb.jar and jboss-web.deployer/jbossweb-extras.jar.
5. Enable HttpOnly in jboss-web.deployer/context.xml by adding this line:
- <SessionCookie secure="true" httpOnly="true" />
@jfclere: The only thing I had to do was commenting out the code within Response.addCookieInternal(Cookie), otherwise I would have got a second JSESSIONID cookie without the HttpOnly flag set. Does this implicate any side effects? Thank you for your assistence.
-
17. Re: HttpOnly cookies in JBossWeb 2.0.1
Yes, the reason is JBoss Portal 2.7.2 which is not supported by JBoss AS greater than 4.2.3. :-(
-
18. Re: HttpOnly cookies in JBossWeb 2.0.1
I'd like to mark this discussion as answered.
However, one last point remains:
Steffen Baum wrote:
The only thing I had to do was commenting out the code within Response.addCookieInternal(Cookie), otherwise I would have got a second JSESSIONID cookie without the HttpOnly flag set. Does this implicate any side effects? Thank you for your assistence.
To be more concrete, at the moment the obsolete method Response.addCookie(Cookie) has these callers:
The question was if there is the chance that - when commenting out the code within this method - no cookie will be set at all? Or will all callers listed above also come across Request.doGetSession which in turn calls the new Response.addCookie(TomcatCookie) method?
Thank you so much.
-
19. Re: HttpOnly cookies in JBossWeb 2.0.1
Commenting out the addCookieInternal in java/org/apache/catalina/connector/Response.java doesn't look a good idea. It will break any application using addCookie in a webapp.
Do you have long stack trace for the comment #12 basically I would like to check what is calling org.apache.tomcat.util.http.ServerCookie.appendCookieValue()
-
20. Re: HttpOnly cookies in JBossWeb 2.0.1
However, when not commenting out addCookieInternal(Cookie) the session cookie will be set twice. First the cookie will be set with HttpOnly flag and subsequently without HttpOnly flag, i.e. the browser will override the correct client cookie.
These are the call stacks:
1.
Daemon Thread [ajp-127.0.0.1-8009-3] (Suspended (breakpoint at line 202 in org.apache.tomcat.util.http.ServerCookie)) org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202 org.apache.catalina.connector.Response.addCookieInternal(org.apache.tomcat.util.http.TomcatCookie) line: 846 org.apache.catalina.connector.Request.doGetSession(boolean) line: 1979 org.apache.catalina.connector.Request.getSession() line: 1747 foo.CASValve(foo.AuthenticatorValve).invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 92 org.jboss.web.tomcat.security.JaccContextValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 84 org.apache.catalina.core.StandardHostValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 127 org.apache.catalina.valves.ErrorReportValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 102 org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 157 org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 638 org.apache.catalina.core.StandardEngineValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 109 org.apache.catalina.connector.CoyoteAdapter.service(org.apache.coyote.Request, org.apache.coyote.Response) line: 262 org.apache.coyote.ajp.AjpProcessor.process(java.net.Socket) line: 437 org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(java.net.Socket) line: 366 org.apache.tomcat.util.net.JIoEndpoint$Worker.run() line: 446 java.lang.Thread.run() line: 722 2.
Daemon Thread [ajp-127.0.0.1-8009-3] (Suspended (breakpoint at line 202 in org.apache.tomcat.util.http.ServerCookie)) org.apache.tomcat.util.http.ServerCookie.appendCookieValue(java.lang.StringBuffer, int, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, int, boolean, boolean) line: 202 org.apache.catalina.connector.Response.addCookieInternal(javax.servlet.http.Cookie) line: 813 org.apache.catalina.connector.Response.addCookie(javax.servlet.http.Cookie) line: 786 org.jboss.web.tomcat.service.session.JBossCacheManager(org.jboss.web.tomcat.service.session.JBossManager).setNewSessionCookie(java.lang.String, javax.servlet.http.HttpServletResponse) line: 286 org.jboss.web.tomcat.service.session.JvmRouteValve.handleJvmRoute(java.lang.String, java.lang.String, java.lang.String, javax.servlet.http.HttpServletResponse, boolean) line: 182 org.jboss.web.tomcat.service.session.JvmRouteValve.checkJvmRoute(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 112 org.jboss.web.tomcat.service.session.JvmRouteValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 81 org.apache.catalina.authenticator.FormAuthenticator(org.apache.catalina.authenticator.AuthenticatorBase).invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 432 foo.CASValve(foo.AuthenticatorValve).invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 241 org.jboss.web.tomcat.security.JaccContextValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 84 org.apache.catalina.core.StandardHostValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 127 org.apache.catalina.valves.ErrorReportValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 102 org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 157 org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 638 org.apache.catalina.core.StandardEngineValve.invoke(org.apache.catalina.connector.Request, org.apache.catalina.connector.Response) line: 109 org.apache.catalina.connector.CoyoteAdapter.service(org.apache.coyote.Request, org.apache.coyote.Response) line: 262 org.apache.coyote.ajp.AjpProcessor.process(java.net.Socket) line: 437 org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(java.net.Socket) line: 366 org.apache.tomcat.util.net.JIoEndpoint$Worker.run() line: 446 java.lang.Thread.run() line: 722 -
21. Re: HttpOnly cookies in JBossWeb 2.0.1
Are you sure you don't get it twice too with the unpached version?
-
22. Re: HttpOnly cookies in JBossWeb 2.0.1
Okay, you're right, the cookie gets set twice in the unpatched version also due to a call Request.getSession() in foo.CASValve...
