How to configure grails and shiro to mark cookies secure?

Question

I'm using Grails 2.2.4 with the Shiro plugin 1.1.4 and would like to mark the cookies as secure so the session information won't be sent over http.

I'm looking for the grails way to set this setting, which normally would be in shiro.ini

securityManager.sessionManager.sessionIdCookie.secure = true

Open JIRA issue to track this: http://jira.grails.org/browse/GPSHIRO-76

Answer 1

You can put your ini settings in the following block In Config.groovy:

   security {
     shiro {
        filter.config = """
                       [main]your ini settings
                       [urls]your ini settings 
                       """
     }
   }

Answer 2

Another option is to patch sessionCookieConfig off of the servletContext in BootStrap:

class BootStrap {
    def init = { servletContext ->
        servletContext.sessionCookieConfig.secure = true
    }
}

Note: The option causes grails 2.2.4 integration tests to fail with an AbstractMethodError.

 Error Error executing script TestApp: org.springframework.mock.web.MockServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig; 
java.lang.AbstractMethodError: org.springframework.mock.web.MockServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig;
    at BootStrap$_closure1.doCall(BootStrap.groovy:44)
    at grails.util.Environment.evaluateEnvironmentSpecificBlock(Environment.java:308)
        ...

Answer 3

1. Install the templates in your application if you don't already have them. grails install-templates
2. Edit src/templates/war/web.xml so that it has session-config with cookie-config in it:

    <session-config>
        <cookie-config>
            <secure>true</secure>
        </cookie-config>
    </session-config>

Answer 4

You can set this through the shiroSecurityManager bean. For example, in BootStrap:

def shiroSecurityManager

def init = { servletContext ->
    shiroSecurityManager.sessionManager.sessionIdCookie.secure = true
    ...
}