我想为 Cookie 添加 httponly
和 secure
标记。为了实现它,我使用了在 web.xml
中配置的 Filters
。
添加标志的代码如下:
package com.crisil.dbconn;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.filters.SecurityWrapperResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//HttpServletRequest req = (HttpServletRequest)request.getSession();
res.addHeader("X-FRAME-OPTIONS", mode );
res.addHeader("X-Content-Type-OPTIONS", "nosniff" );
res.addHeader("X-XSS-Protection", "1; mode=block" );
res.addHeader("Vary", "*" );
res.addHeader("Expires", "-1" );
res.addHeader("Pragma", "no-cache" );
res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" );
String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc";
((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly");
// touch the session
// ((HttpServletRequest) request).getSessison();
// System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz");
// overwriting the cookie with Secure attribute set
// ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
////////////
/* Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if (cookies != null)
for (int i = 0; i < cookies.length; i++) {
cookies[i].setValue("");
cookies[i].setPath("/");
cookies[i].setMaxAge(0);
cookies[i].setSecure(true);
res.addCookie(cookies[i]);
}
*/
//////////////
String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
上面的代码为 JSESSIONID cookie 添加了 httponly
和 secure
标志。但是,在响应 header 中,我得到了两个 cookie。第二个没有设置 httponly
和 secure
标志。请引用以下输出:
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765; HttpOnly;Secure
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162; path=/"
为什么没有为第二个 cookie 添加 httponly
和 secure
标志?
最佳答案
设置 JSESSIONID
是运行您的 Web 应用程序的任何 servlet 容器的责任。从您的过滤器中删除 setHeader
,并通过将以下内容添加到您的 web.xml
来正确配置您的 Web 应用程序:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
关于java - 在 Java Web 应用程序中为设置 cookie 添加 httponly 和安全标志,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34489406/