文档章节

httpOnly Cookies using web.xml servlet 3.0 in JBos

商者
 商者
发布于 2016/07/14 09:21
字数 1349
阅读 36
收藏 1
点赞 0
评论 0

Securing our Applications is one of the most important task while moving to the production environment. Securing HttpSession is one of them. In this demonstration we will see how to use the HttpOnly cookies in “web.xml” using the tag “httpOnly”, Yes, this is a new feature added as part of Servlet3.0 Specification that we cna specify the httpOnly cookies directly using web.xml file.

The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting. It means on client side the cookies can not be accessed using java script or some other scripting utilities. This feature applies only to session-management cookies, and not other browser cookies.

Earlier in JBoss AS6 we had a feature called as “context.xml” using which we could define the cookies as “httpOnly” by either editing the “${PROFILE}/deploy/jbossweb.sar/context.sar/context.xml” file or by creating “conntext.xml” file inside our application “${YOUR_APP}/WEB-INF/context.xml” file as following:

<Context cookies="true" crossContext="true" useHttpOnly="true">
   <SessionCookie httpOnly="true"/> 
</Context>

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link: http://www.jboss.org/jbossas/downloads
And we will see how we can specify httpOnly cookies using the standard web descriptor “web.xml” file using servlet 3.0 specification.

Step1). Create a Directory somewhere inside your file system where we can create our web application. Suppose i am creating a directory as “/home/userone/httpOnlyDemo” and the create a subdirectory with name “src” inside “/home/userone/httpOnlyDemo”

Step2). Now place the following kind of “web.xml” inside the “/home/userone/httpOnlyDemo/src” directory.

<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee web-app_3_0.xsd"
      version="3.0">
    
      <!-- Make sure that your web.xml is pointing the version="3.0" as above -->
      <session-config>
        <cookie-config>
           <http-only>true</http-only>
        </cookie-config>
      </session-config>
    
</web-app>

NOTE: The only thing here you need to kiip in mind that you are using the “web-app_3_0.xsd” in your “web.mxl” file pointing to version=”3.0″.

Step3). Now we will write a simple JSP Page in order to display the JSESSIONID cookie value in the browser with the help of Java Script. (Ideally the code should not be able to display the JSESSIONID cookie value with the help of java script here because we have marked out Cookie as “httpOnly”…so you can try both ways by enabling and disabling the http-only tag inside your web.xml to see what different you see while hitting the JSP Page.)

<%
   System.out.println("nt index.jsp is called...request="+request);
%>
<html>
    <head>
        <title>Hi HttpOnly</title>
        <script type="text/javascript">
          function ReadCookie(cookieName) 
           {
              var theCookie=""+document.cookie;
              var ind=theCookie.indexOf(cookieName);
              if (ind==-1 || cookieName=="") return ""; 
                 var ind1=theCookie.indexOf(';',ind);
              if (ind1==-1) ind1=theCookie.length; 
                 return unescape(theCookie.substring(ind+cookieName.length+1,ind1));
           }
       </script>
    </head>
    <body bgcolor="maroon" text="white">
            <center>
            <h1>Hello CookieDemo "HttpOnly" !!!

	<form name="getCookie">
	    <table border=0 cellpadding=3 cellspacing=3>
	     <tr><td>Cookie Name:&nbsp;</td><td><input name=t1 type=text size=20 value="JSESSIONID"></td></tr>
             <tr><td><input name=b1 type=button value="Read Cookie Value" onClick="this.form.t2.value=ReadCookie(this.form.t1.value)">&nbsp;</td>    <td><input name=t2 type=text size=20 value=""></td></tr>
           </table>
        </form>
       <b>NOTE: when you click on this button you should not be able to see the JSESSIONID cookie value in the textField if the http-only cookie is enabled.</b>
   </center>
    </body>
</html>

Step4). Now we will write a simple ant “build.xml” file in order to build and deploy our web application on JBoss AS7. So write the following “build.xml” file inside “/home/userone/httpOnlyDemo” as following:

<project name="httpOnlyCookieDemo" default="deploy">
<property name="jboss.home" value="/home/userone/jboss-as-7.1.0.Beta1" />
<property name="jboss.module.dir" value="${jboss.home}/modules" />
<property name="basedir" value="." />
<property name="tmp.dir" value="tmp" />
<property name="output.dir" value="build" />
<property name="src.dir" value="src" />
<property name="war.name" value="httpOnlyDemo.war" />

        <path id="jboss.classpath">
           <fileset dir="${jboss.module.dir}">
              <include name="**/*.jar"/>
           </fileset>  
        </path>

        <target name="init">
           <delete dir="${output.dir}" />
           <mkdir dir="${output.dir}" />
           <delete dir="${tmp.dir}" />
           <mkdir dir="${tmp.dir}" />
        </target>
	 
        <target name="build" depends="init">
           <mkdir dir="${tmp.dir}/WEB-INF"/>
           <copy file="${src.dir}/index.jsp" tofile="${tmp.dir}/index.jsp"/>
           <copy todir="${tmp.dir}/WEB-INF">
                <fileset dir="${src.dir}/">
                  <include name="web.xml"/> 
                </fileset>
           </copy>          
           <jar jarfile="${tmp.dir}/${war.name}" basedir="${tmp.dir}" compress="true" />
           <copy file="${tmp.dir}/${war.name}" tofile="${output.dir}/${war.name}"/>
           <delete includeEmptyDirs="true">
              <fileset dir="${tmp.dir}"/>
           </delete> 
        </target>

        <target name="deploy" depends="build">
            <echo message="*******************  Deploying the WAR file ${war.name} *********************" />  
            <echo message="********** ${output.dir}/${war.name} to ${jboss.home}/standalone/deployments **********" />  
            <copy todir="${jboss.home}/standalone/deployments/">
                <fileset dir="${output.dir}/">
                  <include name="${war.name}"/> 
                </fileset>
            </copy>
            <echo message="*******************  Deployed Successfully   *********************" />  
        </target>
</project>

NOTE: The only change in the above file you need to do is to change the “jboss.home” directory path in the second line of the above script is to point to your own JBoss AS7 directory home directory.

Step5). Now before running your ANT script to build and deploy the above webapplication you should have the ANT as well as JAVA set in the $PATH variable of the Shell / command prompt as following:

1

2

3

4

5

For Unix Based OS:

export PATH=/home/userone/jdk1.6.0_21/bin:/home/userone/apache-ant-1.8.2/bin:$PATH

 

For Windows Based OS:

set PATH=C:/jdk1.6.0_21/bin;C:/apache-ant-1.8.2/bin;%PATH%

Step6). Now run the ant file from the directory where you have placed the “build.xml” file as following:

[userone@localhost httpOnlyDemo]$ ant
Buildfile: /home/userone/httpOnlyDemo/build.xml

init:
   [delete] Deleting directory /home/userone/httpOnlyDemo/build
    [mkdir] Created dir: /home/userone/httpOnlyDemo/build
    [mkdir] Created dir: /home/userone/httpOnlyDemo/tmp

build:
    [mkdir] Created dir: /home/userone/httpOnlyDemo/tmp/WEB-INF
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/tmp
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/tmp/WEB-INF
      [jar] Building jar: /home/userone/httpOnlyDemo/tmp/httpOnlyDemo.war
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/build

deploy:
     [echo] *******************  Deploying the WAR file httpOnlyDemo.war *********************
     [echo] ********** build/httpOnlyDemo.war to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments **********
     [copy] Copying 1 file to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments
     [echo] *******************  Deployed Successfully   *********************

BUILD SUCCESSFUL
Total time: 0 seconds

Step7). Now access the application like following: “http://localhost:8080/httpOnlyDemo/index.jsp” and then see whether you are able to see the JSESSIONID value or not? Also try removing the http-only tag from your web.xml file and then redeploy the application and then again try to access the application to check whether you are able to see the JSESSIONID cookie value or not .

Some more useful tags from Servlet 3.0 Specifications

You can get more details on these tags from the following link:http://java.sun.com/xml/ns/javaee/web-common_3_0.xsd
Also we can use some more useful tags in order to secure our WebAppications with the help of servlet3.0 tags present inside “web.xml” file like following

secure cookie: A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

<session-config>
  <cookie-config>
    <secure>true</secure>
  </cookie-config>
</session-config>

tracking-mode cookie: tracking-mode element in the Servlet 3.0 specification allows you to define whether the JSESSIONID should be stored in a cookie or in a URL parameter. If the session id is stored in a URL parameter it could be inadvertently saved in a number of locations including the browser history, proxy server logs, referrer logs, web logs, etc. Accidental disclosure of the session id makes the application more vulnerable to session hijacking attacks. Instead, make sure the JSESSIONID is stored in a cookie if tracking-mode is set to COOKIE. The valid values for tracing-mode are COOKIE/SSL/URL

<session-config>
  <cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
  </cookie-config>
</session-config>

.
.
Thanks
MiddlewareMagic Team

本文转载自:http://middlewaremagic.com/jboss/?p=1041

共有 人打赏支持
商者

商者

粉丝 39
博文 141
码字总数 43255
作品 0
海淀
架构师
如何针对servlet写测试用例-包括jsp请求等

通过ServletUnit,可以写测试用例。 具体用法如下: As a testing tool, HttpUnit is primarily designed for "black-box" testing of web sites. In many cases that may be all you need; ......

毛朱
2012/11/30
0
0
Tomcat - Disable JSESSIONID in URL

source: https://fralef.me/tomcat-disable-jsessionid-in-url.html I had a problem with a Java webapp that works within a Tomcat 6 container. In fact when you block sites from sett......

perfectspr
2014/11/05
0
0
Spring MVC Servlet 3.0

一、Servlet 3.0 动态注册资源(ServletContainerInitializer) 该类的API文档:http://docs.oracle.com/javaee/6/api/javax/servlet/ServletContainerInitializer.html Servlet 3.0 规范,可......

guoxf
2012/09/18
0
0
使用NetWeaver开发EJB3.0

Prerequisites The Windows ® Open Perspective ® Other ® J2EE perspective is open. Procedure Creating the EJB Module Project You develop the EJB 3.0 classes in an EJB 3.0 proj......

晨曦之光
2012/03/09
0
0
Servlet 3.0 新特性概述

Servlet 3.0 作为 Java EE 6 规范体系中一员,随着 Java EE 6 规范一起发布。该版本在前一版本(Servlet 2.5)的基础上提供了若干新特性用于简化 Web 应用的开发和部署。其中有几项特性的引入...

张超
2012/12/22
0
0
用EJB3.0 简化EJB开发

引入 Enterprise JavaBeans ( EJB ) 是为了构建分布式组件。最初 , 该技术承诺可以解决 CORBA 的所有问题并降低其复杂性。作为J2EE的核心,EJB经历了几次较大的修订,并加入了许多特性,因...

晨曦之光
2012/03/09
0
0
Tomcat部署项目(JEECG)时报错处理

Error: java.lang.IllegalAccessError: class org.xml.sax.helpers.SecuritySupport12 cannot access its superclass org.xml.sax.helpers.SecuritySupport 在部署到Tomcat7.0+JDK7.0的时候......

loki_lan
2013/12/27
0
0
Servlet 3.0 新特性概述

Servlet 3.0 新特性概述 Servlet 3.0 作为 Java EE 6 规范体系中一员,随着 Java EE 6 规范一起发布。该版本在前一版本(Servlet 2.5)的基础上提供了若干新特性用于简化 Web 应用的开发和部...

巴顿
2013/11/19
0
2
SpringFramework4系列之整合Resteasy

对于和jboss as7的集成不需要做任何工作,jboss默认集成了resteasy,只需要对业务pojo做一些jax-rs的注解标注即可。 对于非Jboss的Servlet容器 Spring和resteasy集成,主要有三种方式, 运行...

Garrry
2015/07/21
0
0
Servlet 3.0 特性详解

Servlet 是 Java EE 规范体系的重要组成部分,也是 Java 开发人员必须具备的基础技能,本文主要介绍了 Servlet 3.0 引入的若干重要新特性,包括异步处理、新增的注解支持、可插性支持等等,为...

那位先生
2015/06/12
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

shell中的函数、shell中的数组、告警系统需求分析

shell中的函数 格式: 格式: function f_name() { command } 函数必须要放在最前面 示例1(用来打印参数) 示例2(用于定义加法) 示例3(用于显示IP) shell中的数组 shell中的数组1 定义数...

Zhouliang6
今天
2
0
用 Scikit-Learn 和 Pandas 学习线性回归

      对于想深入了解线性回归的童鞋,这里给出一个完整的例子,详细学完这个例子,对用scikit-learn来运行线性回归,评估模型不会有什么问题了。 1. 获取数据,定义问题     没有...

wangxuwei
今天
1
0
MAC安装MAVEN

一:下载maven压缩包(Zip或tar可选),解压压缩包 二:打开终端输入:vim ~/.bash_profile(如果找不到该文件新建一个:touch ./bash_profile) 三:输入i 四:输入maven环境变量配置 MAVEN_HO...

WALK_MAN
今天
0
0
33.iptables备份与恢复 firewalld的9个zone以及操作 service的操作

10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作 10.19 iptables规则备份和恢复: ~1. 保存和备份iptables规则 ~2...

王鑫linux
今天
2
0
大数据教程(2.11):keeperalived+nginx高可用集群搭建教程

上一章节博主为大家介绍了目前大型互联网项目的系统架构体系,相信大家应该注意到其中很重要的一块知识nginx技术,在本节博主将为大家分享nginx的相关技术以及配置过程。 一、nginx相关概念 ...

em_aaron
今天
1
0
Apache Directory Studio连接Weblogic内置LDAP

OBIEE默认使用Weblogic内置LDAP管理用户及组。 要整理已存在的用户及组,此前办法是导出安全数据,文本编辑器打开认证文件,使用正则表达式获取用户及组的信息。 后来想到直接用Apache Dire...

wffger
今天
2
0
HFS

FS,它是一种上传文件的软件。 专为个人用户所设计的 HTTP 档案系统 - Http File Server,如果您觉得架设 FTP Server 太麻烦,那么这个软件可以提供您更方便的档案传输系统,下载后无须安装,...

garkey
今天
1
0
Java IO类库之BufferedInputStream

一、BufferedInputStream介绍 /** * A <code>BufferedInputStream</code> adds * functionality to another input stream-namely, * the ability to buffer the input and to * sup......

老韭菜
今天
0
0
STM 32 窗口看门狗

http://bbs.elecfans.com/jishu_805708_1_1.html https://blog.csdn.net/a1985831055/article/details/77404131...

whoisliang
昨天
1
0
Dubbo解析(六)-服务调用

当dubbo消费方和提供方都发布和引用完成后,第四步就是消费方调用提供方。 还是以dubbo的DemoService举例 -- 提供方<dubbo:application name="demo-provider"/><dubbo:registry address="z...

青离
昨天
2
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

返回顶部
顶部