stackoom
  简体   繁体   中英

How to set secure cookie in Java/Spring MVC on Heroku?

 原文  2013-11-13 00:25:53       java/ spring/ spring-mvc/ heroku

Question

Based on my research, in order to have all cookies be secure, server.xml needs to be modified, but heroku's webapp runner doesn't give you access to it. Is there a way to do it through a servlet filter or some spring mvc filter?

1 answers

solution1
 0 ACCPTED  2013-11-15 22:28:43

If you can, require HTTPS - in that case Tomcat does the right thing (with the session cookie, at least - see How to flag session cookie as secure (https only) in tomcat 6 ). On Heroku, the trick is making sure Tomcat knows the request is secure - by default on Heroku it doesn't, since the inbound request is proxied, and SSL is handled in the routing mesh. Ie, request.isSecure() will return false

However, webapp-runner lets you specify a context.xml ; in there you can configure RemoteIpValve so that Tomcat will pick up various x_forwarded headers and adjust the request accordingly (ie, if an HTTPS request is made to the routing mesh, request.isSecure() will now be true, even through Tomcat only saw the request as HTTP. I did something similar, documented here: SSL redirects in Heroku

Hope that helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java Spring 4 cookie secure attribute how to set JSESSIONID cookie as secure using Spring security 2 and Apache Tomcat 7 setting How to set SameSite and Secure attribute to JSESSIONID cookie How to set secure flag on cookie programatically Java Spring MVC How to get this set value? servlet set cookie secure? java - get cookie value by name in spring mvc adding httponly and secure flag for set cookie in java web application how to set cookies as secure flag in spring boot Read a secure session cookie in Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM