CODEWITHSUNDEEP
sslglassfish-3
hockey_dave
hockey_dave

Reputation: 584

Secure Session Cookie + Glassfish 3.1

I'm looking for a solution similar to this: httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)

I want to turn the HTTP headers: http-only and Secure off so that authentication with https carries across to http requests.

However, 1 Relating to the other post. I am not using servlet 3.0. I may be willing to try to use servlet 3.0 if there was decent documentation somewhere on how to migrate an intellij project from serverl 2.5 to 3.0. It does not seem obvious how to use this. Changing my maven pom to javax.servlet 3.0 and then editing my web.xml version to 3.0 doesn't work. Gives a facet-error on the 3.0 version. Sigh.

  1. This is my primary approach to solve this. I edited domains/domain1/config for default-web.xml and domain.xml to what I thought would work but it doesn't. Oracle's documentation does not seem very clear to me on this.

domain.xml

<web-container>
    <session-config>
      <session-manager> 
        <manager-properties></manager-properties>
        <store-properties></store-properties>
      </session-manager>
      <session-properties>
        <property name="cookieSecure" value="false"></property>
        <property name="cookieHttpOnly" value="false"></property>
      </session-properties>
    </session-config>
      </web-container>

....

<configs>
<config name="server-config">
  <http-service sso-enabled="true">
    <access-log></access-log>
    <virtual-server id="server" sso-cookie-secure="false" sso-cookie-http-only="false" network-listeners="http-listener-1,http-listener-2"></virtual-server>
    <virtual-server id="__asadmin" sso-cookie-http-only="false" network-listeners="admin-listener"></virtual-server>
  </http-service>

default-web.xml

    <session-config>
    <session-timeout>60</session-timeout>
        <cookie-config>
                <http-only>false</http-only>
                <secure>false</secure>
        </cookie-config>
        <cookie-properties>
                <property name="cookieSecure" value="false" />
                <property name="cookieHttpOnly" value="false" />
        </cookie-properties>
        <tracking-mode>COOKIE</tracking-mode>
  </session-config>

Upvotes: 3

Views: 5144

Answers (1)

hockey_dave
hockey_dave

Reputation: 584

Okay I feel a bit stupid but I generally have never written to a specific container before to make sure that my code was portable across containers. However, after some research, I discovered that you can put a WEB-INF/glassfish-web.xml file that looks like this to control your security cookie setting for each WAR file under glassfish.

http://blogs.oracle.com/jluehe/entry/ow_to_configure_the_security

    <?xml version="1.0" encoding="UTF-8"?>
        <glassfish-web-app>
            <session-config>
                <cookie-properties>
                    <b><property name="cookieSecure" value="[true|false|dynamic]"/></b>
               </cookie-properties>
           </session-config>
       </glassfish-web-app>

Upvotes: 4

Related Questions