我需要在谷歌应用引擎的会话cookie上设置httpOnly和安全标志。
我尝试了以下web.xml
:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
然而,这并没有起作用。
我还在每个JSP的顶部尝试了这个:
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
我怎样才能做到这一点?
我有同样的问题与谷歌应用引擎,但我想添加Secure
属性到所有的cookie。下面显示了我如何将Secure
属性添加到所有cookie。我几乎可以肯定,只要用HttpOnly
代替Secure
,这个解决方案就可以为您工作。
我已经实现了一个安全过滤器,并将其映射到我希望设置Secure
属性的页面。
<filter>
<filter-name>Security Filter</filter-name>
<filter-class>common.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
我的第一次尝试是将响应包装到我的自定义HttpServletResponseWrapper
中。一切正常,只是会话cookie没有获得属性。我进行了调试,发现会话cookie没有使用我所期望的机制添加。然后我注意到,在你触摸会话后,会话cookie被神奇地添加到响应头中,例如,头现在由行Set-Cookie: JSESSIONID=abcdef;Path=/
组成,但cookie没有使用我创建的包装器对象添加。我发现,在我触摸会话之后,我可以用我想要的属性设置我想要的cookie。所以解决方法很简单。
public class SecurityFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// wrap the response
response = new SecureCookieSetter((HttpServletResponse)response);
// touch the session
(HttpServletRequest)request.getSession();
// overwriting the cookie with Secure attribute set
((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
}
}
public class SecureCookieSetter extends HttpServletResponseWrapper {
public SecureCookieSetter(HttpServletResponse response) {
super(response);
}
@Override
public void addCookie(Cookie cookie) {
cookie.setSecure(true);
super.addCookie(cookie);
}
@Override
public void addHeader(String name, String value) {
if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
value = value + ";Secure";
}
super.addHeader(name, value);
}
@Override
public void setHeader(String name, String value) {
if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
value = value + ";Secure";
}
super.setHeader(name, value);
}
}
我在使用Java 7和Servlet 2.5时遇到了同样的问题,将HttpOnly
和Secure
属性添加到会话cookie中。我关注了@bat_venti的回答,非常有帮助,谢谢!-但有一些麻烦,使它的工作,所以我张贴我自己的答案:)
我创建了一个SecurityFilter
类,将会话cookie属性应用于.jsp
请求,如下所示:
import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import java.io.IOException;
public class SecurityFilter implements javax.servlet.Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {}
@Override
public void destroy() {}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// wrap the response
response = new SecureCookieSetter((HttpServletResponse)response);
// touch the session
((HttpServletRequest) request).getSession();
// overwriting the cookie with Secure and HttpOnly attribute set
((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
chain.doFilter(request, response);
}
public class SecureCookieSetter extends HttpServletResponseWrapper {
public SecureCookieSetter(HttpServletResponse response) {
super(response);
}
@Override
public void addCookie(Cookie cookie) {
cookie.setSecure(true);
super.addCookie(cookie);
}
@Override
public void addHeader(String name, String value) {
if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
value = value + ";Secure;HttpOnly";
}
super.addHeader(name, value);
}
@Override
public void setHeader(String name, String value) {
if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
value = value + ";Secure;HttpOnly";
}
super.setHeader(name, value);
}
}
}
(我在内部创建了SecureCookieSetter
类,因为我只在这个过滤器中使用它,但是可以随意将它放在自己的文件中)。
之后,我编辑了web.xml
文件,以便在请求.jsp
文件时使用过滤器:
<web-app>
...
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>path.to.my.filter.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
...
</web-app>
(显然,用path.to.my.filter
代替类文件的实际位置)。
在我的情况下,SecureCookieSetter类没有被使用。我也有我的java web应用程序运行到GAE。下面是在我的情况下工作良好的代码。此外,它总是建议有其他安全相关的标题,如max-age和其他如下。
package com.securityFilter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import com.filters.XSSRequestWrapper;
public class SecurityFilter implements Filter {
protected static final Logger log = Logger.getLogger(SecurityFilter.class);
private static final String PRAGMA_KEY = "Pragma";
private static final String PRAGMA_VALUE = "no-cache";
private static final String STRICT_TRANSPORT_KEY = "strict-transport-security";
private static final String STRICT_TRANSPORT_VALUE = "max-age=604800";
private static final String SET_COOKIE = "Set-Cookie";
private static final String JSESSION_ID = "JSESSIONID=";
private static final String HTTP_ONLY = ";Secure;HttpOnly";
private static final String CACHE_CONTROL_KEY = "Cache-Control";
private static final String CACHE_CONTROL_VALUE = "no-store";
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
makeCookieSecured(response, httpServletRequest);
chain.doFilter(request, response);
}
private void makeCookieSecured(ServletResponse response,
HttpServletRequest httpServletRequest) {
Cookie[] cookies = httpServletRequest.getCookies();
HttpServletResponse httpResp = ((HttpServletResponse) response);
if (cookies != null) {
for(Cookie cookie :cookies){
if("JSESSIONID".equals(cookie.getName())) {
cookie.setValue(httpServletRequest.getSession().getId() + HTTP_ONLY);
cookie.setSecure(true);
cookie.setPath("/");
cookie.setMaxAge(604800);
}
}
}
httpResp.setHeader(SET_COOKIE, JSESSION_ID + httpServletRequest.getSession().getId() + HTTP_ONLY);
httpResp.setHeader(CACHE_CONTROL_KEY, CACHE_CONTROL_VALUE);
httpResp.setHeader(PRAGMA_KEY, PRAGMA_VALUE);
httpResp.setHeader(STRICT_TRANSPORT_KEY, STRICT_TRANSPORT_VALUE);
}
private void createJSONErrorResponse(ServletResponse response)
throws IOException {
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
response.getWriter().write("Please provide valid input, You might have provided some special characters which is not allowed");
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}