Java Web应用程序中会话cookie的安全标志
[英]Secure flag on session cookies in a Java Web Application
问题描述
I'm trying to add the secure flag to the session cookie in a Java web application. 
我正在尝试将安全标志添加到Java Web应用程序中的会话cookie中。 The standard approach however presents a problem, in that when secure is true, even http requests will get the secure flag. 然而,标准方法存在一个问题,即当安全性为true时,即使http请求也将获得安全性标志。 This means that the web server does not pick up on the cookie on subsiquent requests and we end up with a new session. 这意味着Web服务器不会在后续请求中获取Cookie,因此我们将进行新的会话。 It works fine on HTTPS. 它在HTTPS上正常工作。 The application in question has multiple entry points, from different domains and some internal entry points as well with an internal IP. 所涉及的应用程序具有来自不同域的多个入口点,以及一些内部入口点以及内部IP。 Some are HTTPS, some are HTTP. 有些是HTTPS,有些是HTTP。 I need to be able to get the secure flag to be set for HTTPS requests, but HTTP ones. 我需要能够为HTTPS请求(但HTTP请求)设置安全标志。 This needs to be done by domain though, rather than by protocol because, all the HTTPS requests go through a load balancer that does SSL offloading, so by the request arrives at the web server (which is jboss 7.1.1) it is HTTP, even though the client would see it as HTTPS and would need the secure flag in the session cookie. 不过,这需要按域完成,而不是按协议完成,因为所有HTTPS请求都通过负载均衡器执行SSL卸载,因此请求到达Web服务器(即jboss 7.1.1)时,它就是HTTP,即使客户端将其视为HTTPS并且需要会话cookie中的安全标志。 Here is the config I tried: 这是我尝试的配置:
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I have had to set secure to false however, as otherwise none of the HTTP entry points work. 但是,我必须将secure设置为false,否则HTTP入口点都不起作用。
1 个解决方案
解决方案1
0 已采纳 2014-08-11 13:26:47
This can be acheived with a custom valve, that provides a hook into the creation of the request object. 可以使用自定义阀来实现,该阀为请求对象的创建提供了一个钩子。 The secure flag is set in a cookie automatically (without the web.xml setting) if the servlet request is secure. 如果Servlet请求是安全的,则将在cookie中自动设置安全标志(无web.xml设置)。 Setting the secure flag in the request can be done from the valve. 可以在阀门中设置请求中的安全标志。
The load balancer adds on the header Front-End-Https which the valve detects and sets secure accordingly. 负载平衡器会在标头Front-End-Https上添加该标头,阀门会相应地检测并设置安全性。
Here is the valve class: 这是阀门类:
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.Valve;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
public class SecureRequestModifyingValve extends ValveBase
{
private static final String LB_HTTPS_HEADER = "Front-End-Https";
@Override
public void invoke(final Request request, final Response response) throws IOException, ServletException
{
final String httpsHeader = request.getHeader(LB_HTTPS_HEADER);
request.setSecure(httpsHeader != null && httpsHeader.equalsIgnoreCase("on"));
getNext().invoke(request, response);
}
}
I have got jboss to use it by adding the following to jboss-web.xml within the WAR. 通过在WAR内的jboss-web.xml中添加以下内容,我得到了jboss的使用。
<valve>
<class-name>com.lifecycle.framework.valve.SecureRequestModifyingValve
</class-name>
</valve>
I imagine other containers let you do something similar as well. 我想象其他容器也可以让您做类似的事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.