使用“HttpOnly”和“Secure”属性时出现 web.xml 错误
[英]web.xml error when using 'HttpOnly' and 'Secure' attributes
问题描述
I want to make my JSF application less vulnerable to session hijacking.
我想让我的 JSF 应用程序不那么容易受到会话劫持的影响。 So I have added the following code to the web.xml file.所以我在 web.xml 文件中添加了以下代码。
<session-config>
<session-timeout>
60
</session-timeout>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
<max-age>1800</max-age>
</cookie-config>
</session-config>
Then when I run the application, deployment fails in Payara Server with the following message.然后,当我运行应用程序时,Payara Server 中的部署失败并显示以下消息。
Deployment descriptor file WEB-INF/web.xml in archive [chims-0.1]. cvc-complex-type.2.4.a: Invalid content was found starting with element '{"http://xmlns.jcp.org/xml/ns/javaee":http-only}'. One of '{"http://xmlns.jcp.org/xml/ns/javaee":max-age}' is expected.
I use version 4 of web.xml我使用 web.xml 的第 4 版
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
How can I get rid of this error?我怎样才能摆脱这个错误?
1 个解决方案
解决方案1
2 已采纳 2022-07-05 09:14:53
http-only element comes before secure element in the sequence. http-only元素在序列中位于secure元素之前。 See web-common_4_0.xsd for the cookie-configType type description.有关cookie-configType类型的描述,请参见web-common_4_0.xsd 。
Your config should be:你的配置应该是:
<session-config>
<session-timeout>
60
</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
<max-age>1800</max-age>
</cookie-config>
</session-config>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.