checkSSLSessionId X JBOSS 4.2.3

Programação Java
#1

Pessoal, boa tarde

   estava pesquisando sobre segurança de aplicação e achei um seguinte link bem interessante:

   [url]http://java.sapao.net/Home/garantir-a-seguranca-dos-identificadores-de-sessao-cookies[/url]

   O autor cita a configuração da flag checkSSLSessionId, porém não achei onde configurar isso no JBOSS 4.2.3.

   Alguém sabe me informar onde e como configuro isso?

Grato.

#2

Bom posso estar enganado mas acredito que seja isso que esteja procurando… só tenho esse doc em ingles sorry :confused: espero que ajude…


Is there support for httpOnly cookies in the JBoss EAP ?

Issue

Cookies generated by JBoss are not setting the httpOnly flag, does JBoss intend to adopt this standard?

Environment

JBoss Enterprise Application Platform (EAP)
    4.2
    4.3
    5.0
Apache Web Server
F5 BigIP Hardware Load Balancer

Resolution

httpOnly cookies will not implemented in EAP 4.2 or 4.3 but are supported in EAP 5. Follow the instructions below to implement httpOnly cookies for your specific environment.
Using Apache with the EAP 4.2/4.3

If Apache is being used to front JBoss then the following can be used to add httpOnly cookies. The mod_headers must be loaded

LoadModule headers_module modules/mod_headers.so[/code]

Then add the following anywhere in the httpd.conf or in specific VirtualHosts or Locations

[code]Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly[/code]

This will add Secure;HttpOnly for every Set-Cookie header going out from httpd.  If the httpOnly cookies are only needed for certain VirtualHosts or Locations then add the Header only to where is needed, for example

[code]<Location /foo>
    ...
    Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
</Location>[/code]

Note: The above Header sets both the Secure and HttpOnly attributes on the cookie, if only HttpOnly is desired then you can remove the Secure part
Using F5 BigIP load balancer

If iRules are being used the following rule could be used

[code]rule jsessionid_httponly {
     when RULE_INIT {
          set ::cookieName JSESSIONID
     }

     when HTTP_RESPONSE {
          if {HTTP:cookie exists $::cookieName} {
               set id [HTTP::cookie value $::cookieName]
               HTTP::cookie remove $::cookieName
               HTTP::cookie insert name $::cookieName value "${id};HttpOnly"
          }
     }
}

Setting it Programmatically

Here is an option for intercepting the cookie in the response header and resetting it with the httpOnly flag.

The best place to do this is in a servlet filter.

Note that this in its current form would overwrite any other cookies other than JSESSIONID so you’d need to expand upon it to handle any other possible cookies,
Also, it checks if the cookie is secure so that this flag is not inadvertently removed, but you wouldn’t need to worry about this if you don’t use secure cookies,

package my.filters;
public class AllRequests implements Filter
{
  @Override
  public void doFilter(ServletRequest iRequest, ServletResponse iResponse, FilterChain chain)
          throws IOException, ServletException
  {
    // first process page as normal
    chain.doFilter(iRequest,iResponse);

    if(iRequest instanceof HttpServletRequest)
    {
      HttpServletRequest request = (HttpServletRequest)iRequest;
      HttpServletResponse response = (HttpServletResponse)iResponse;

      if (response.containsHeader("SET-COOKIE"))
      {
        String sessionid = request.getSession().getId();
        String contextPath = request.getContextPath();

        // optionally make it secure
        String secure = "";
        if (request.isSecure())
        {
          secure = "; Secure";
        }
        response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                         + "; Path=" + contextPath + "; HttpOnly" + secure);
       }
    }
  }
}

and add this to web.xml:

<filter>
     <filter-name>AllRequests</filter-name>
     <filter-class>my.filters.AllRequests</filter-class>
</filter>
<filter-mapping>
     <filter-name>AllRequests</filter-name>
     <url-pattern>/*</url-pattern>
</filter-mapping>

Using the EAP 5

Open JBOSS_HOME/server/SERVER_CONF/deploy/jbossweb.sar/context.xml and setting element nested in the element and set httpOnly

<Context cookies="true" crossContext="true"> <SessionCookie httpOnly="true"/>

Abs

#3

jmag, obrigado pela ajuda!

Sobre o HttpOnly foi de grande valia esta sua dica!

Agora sobre o checkSSLSessionId só achei na internet como configura no tomcat 3.3, veja no link abaixo:

http://tomcat.apache.org/tomcat-3.3-doc/serverxml.html

Não achei nada para tomcat 6 / jboss 4.2.3

Alguma sugestão?

Grato.

#4