How to enable HttpOnly and Secure Session Cookies in EAP 6.x

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6.x

Issue

  • In JBoss EAP5 there was an option available for Securing cookies using the "$PROFILE\deploy\jbossweb.sar\context.xml" .
<Context cookies="true" crossContext="true">
  <SessionCookie secure="true" httpOnly="true" />

How can I to achieve the same thing in EAP 6 ?

  • We are able to have the JSESSIONID httpOnly and Secure the following config in the application web.xml;
    <session-config>
        <session-timeout>60</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
  • However we would like it to be done at the application server so that all applications do not have to set the above config the respective web.xml.
  • Need information on Securing HTTP Sesssions with JBoss EAP 6?

Resolution

Note that these options are only to set Secure/HttpOnly flags on the JSESSIONID session cookie. It will not apply these flags to any other cookies so if you want these flags set on some other cookie, you would need to address the config or code of whatever is creating those cookies.

To enable Secure flag for JSESSIONID session cookie, you can add attribute secure="true" to the <connector> you use in the web subsystem of your standalone(-*).xml or domain.xml.

There is no global configuration for HttpOnly flag for JSESSIONID session cookie in EAP 6. However, you can defined HttpOnly flag and also Secure flag on a per context basis in the the web.xml:

<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee web-app_3_0.xsd"
      version="3.0">

      <session-config>
          <cookie-config>
             <http-only>true</http-only>
             <secure>true</secure>
          </cookie-config>
          <tracking-mode>COOKIE</tracking-mode>
      </session-config>

</web-app>

EAP 6 does not have "jbossweb.sar", but it is a fully certified EE6 container which follows the Servlet 3.0 specification. According to the specification “All servlet containers MUST provide an ability to configure whether or not the container marks the session tracking cookie as “HttpOnly”. In the case of JBoss EAP 6.x, this is made possible via a configuration in web.xml

Note: The session-config method only applies to securing the JSESSIONID, to secure other custom cookies, refer to Can a custom cookie be encrypted in JBoss EAP 6?.


If you are using EAP 6.3 or later, you can configure the above <cookie-config> in Servlet 3.0 web-fragment.xml and enable it globally by using deployment-overlay feature. Note that adding/replacing jar does not work before EAP 6.3 as explained in this article, so you need to upgrade JBoss EAP to use this method.

  1. Create META-INF/web-fragment.xml like the following:
    <web-fragment version="3.0"
                  xmlns="http://java.sun.com/xml/ns/javaee" 
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
        <session-config>
            <cookie-config>
                <http-only>true</http-only>
                <secure>true</secure>
            </cookie-config>
            <tracking-mode>COOKIE</tracking-mode>
        </session-config>
    </web-fragment>
    
  2. Create jar file with the META-INF/web-fragment.xml
    jar cvf web-fragment-lib.jar META-INF/web-fragment.xml 
    
  3. Use deployment-overlay to add the generated web-fragment-lib.jar to all deployed war:
    $ ./bin/jboss-cli.sh -c
    [standalone@localhost:9999 /] deployment-overlay add --name=web-fragment-jar --content=WEB-INF/lib/web-fragment-lib.jar=/path/to/web-fragment-lib.jar --deployments=*.war --redeploy-affected
    

    Note:

    • The configurations from multiple descriptors will be merged (web.xml or web-fragment.xml). If the element can take multiple values, the value will be a union and if there is a conflict between a web-fragment.xml and web.xml, web.xml will take precedence.
    • Make sure that your webapplication’s WEB-INF/web.xml does NOT have metadata-complete="true" setting.
    • Due to known bug BZ#1235627, when the version of web.xml are 2.3 or 2.4, metadata-complete="true" is set implicitly. So, if the version of your web application’s web.xml are 2.3 or 2.4, please modify and set it to the version to 2.5 or 3.0 to use this approach.

出處

Be the first to comment on "How to enable HttpOnly and Secure Session Cookies in EAP 6.x"

Leave a comment

Your email address will not be published.


*