Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/348.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java JBoss 5:使用安全和httpOnly cookies并从url隐藏jsessionid_Java_Jsf_Cookies_Jboss - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java JBoss 5:使用安全和httpOnly cookies并从url隐藏jsessionid

Java JBoss 5:使用安全和httpOnly cookies并从url隐藏jsessionid

java jsf cookies jboss

Java JBoss 5:使用安全和httpOnly cookies并从url隐藏jsessionid,java,jsf,cookies,jboss,Java,Jsf,Cookies,Jboss,我正在使用JBossEAP5.2。为了使用httpOnly和安全cookies,我更改了context.xml文件,添加: <Context cookies="true" crossContext="true" > <SessionCookie secure="true" httpOnly="true" /> .... 但是现在我无法登录,我得到一个异常:javax.faces.application.ViewExpiredException 我错过了什么?

我正在使用JBossEAP5.2。为了使用httpOnly和安全cookies,我更改了context.xml文件,添加:

<Context cookies="true" crossContext="true" >
   <SessionCookie secure="true" httpOnly="true" />
   ....
但是现在我无法登录,我得到一个异常:javax.faces.application.ViewExpiredException

我错过了什么?请帮助

为了使用secure=true,需要安装一个证书,以便请求通过https

public class JsessionIdRemoveFilter implements Filter {

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {

            if (!(req instanceof HttpServletRequest)) {
                chain.doFilter(req, res);
                return;
            }

            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            // Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
            // This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
            if (request.isRequestedSessionIdFromURL()) {
                String url = request.getRequestURL()
                             .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                             .toString();
                response.setHeader("Location", url);
                response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
                return;
            }

            // Prevent rendering of JSESSIONID in URLs for all outgoing links
            HttpServletResponseWrapper wrappedResponse =
                new HttpServletResponseWrapper(response) {
                    @Override
                    public String encodeRedirectUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeRedirectURL(String url) {
                        return url;
                    }

                    @Override
                    public String encodeUrl(String url) {
                        return url;
                    }

                    @Override
                    public String encodeURL(String url) {
                        return url;
                    }
                };
            chain.doFilter(req, wrappedResponse);

        }

         public void destroy() {
         }

         public void init(FilterConfig arg0) throws ServletException {
         }
    }