Best unofficial Apache Server developers community

Answers

Problem with session security feature of JBoss 6 using servlet 3.0

⇧

⇩

117 views

We migrated our application from JBoss 5 to JBoss6 and one of the main reasons for this is to make use of the new features of servlet 3.0. Everything works fine apart from one new feature of JBoss 6 and servlet 3.0: setting the session cookie to only be transferred through secure channel even if the request was made through plain HTTP. This is a very important security feature for us and is achieved by adding

<secure>true</secure>

in web.xml. This is part of our web.xml:

<session-config>
<session-timeout>25</session-timeout>
<cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>

When we remove the

<secure>true</secure>

everything works fine. When it is there, there is a new jsessionid generated for each request even when being on a secure page (HTTPS) or in an unsecured page (HTTP). Also, the login does not work since after login with secure credentials the user is redirected back to the login page.

I suppose this might be also an issue with Tomcat 7 since it also uses the servlet 3.0 spec. Any advice would be much appreciated.

Regards

java security tomcat jboss6.x servlet-3.0

asked June 25, 2011 1:14 pm CDT

Alex

posted via StackOverflow

0 Answers

Be the first to answer this question

Similar discussion threads

Re: Spring Security Feature (concurrent-session-control) not working with Apache Click 2.2.0?
September 15, 2010 09:32:21 PM
Hi Conor, I don't know this feature. Which version of Spring and Spring-security are you using? I did a quick test with the click-examples which uses spring-2.5.6 and security 2.0.4 but the xml doesn't validate when I add…

Re: Spring Security Feature (concurrent-session-control) not working with Apache Click 2.2.0?
September 15, 2010 10:13:12 PM
Got the examples workingt (should have added the >concurrent-session-control> element inside <http>. When I log in with RFF it works. When I log in with IE it fails and the following log is printed. [WARN ] [o.s.s.e.a.LoggerListener] …

Spring Security Feature (concurrent-session-control) not working with Apache Click 2.2.0?
September 15, 2010 08:04:30 PM
Hello - I have run into an unfortunate problem with trying to use Spring Security with Apache Click. I have all components working correctly with Spring Security except for the "concurrent session control "feature whereby a user should be only…

Created: (CXF-3362) CXF Servlet doesn't support servlet async feature rightly
February 24, 2011 05:13:25 AM
CXF Servlet doesn't support servlet async feature rightly

Closed] (GERONIMO-5924) Servlet.service() for servlet WARModules threw exception java.lang.Security
May 12, 2011 03:32:53 AM
[ https://issues.apache.org/jira/browse/GERONIMO-5924?page=com.atlassian .jira.plugin.system.issuetabpanels:all-tabpanel ] Tina Li closed GERONIMO-5924.

Re: JBoss 5.1.0, Camel, Spring, Servlet endpoint - Anyone succeded?
June 18, 2011 04:29:03 AM
Jean Baptiste, thank you very much for that, much obliged. Attaching the project. http://camel.465427.n5.nabble.com/file/n4501000/camel-prototype-1.zip camel-prototype-1.zip Don.

Re: JBoss 5.1.0, Camel, Spring, Servlet endpoint - Anyone succeded?
June 18, 2011 04:46:28 AM
Jean-Baptiste, I have tried camel 2.6.0, but as Richard noted it depends on the Spring 3, hence the issue with the Servlet loading order.

Re: JBoss 5.1.0, Camel, Spring, Servlet endpoint - Anyone succeded?
June 18, 2011 04:07:04 AM
Hi Don, I'm running Camel in JBoss 5.1.0 with multiple servlet endpoints. Although not with the latest Camel release (we're currently on 2.2.0 but plan to upgrade) so I can't comment on the SLF4J issue. Please keep us posted on this issue though,…

Re: JBoss 5.1.0, Camel, Spring, Servlet endpoint - Anyone succeded?
June 18, 2011 02:34:40 AM
Jean-Baptiste, Thank you for the suggestion. I have done that. Though I no longer get complaints about the version mismatch it fails with NoSuchFieldError: log Despite the fact that that I have following jar in the lib dir: log4j-1.2.16.jar…

JBoss 5.1.0, Camel, Spring, Servlet endpoint - Anyone succeded?
June 17, 2011 10:25:09 PM
Hi, Just wanted to double check if anyone is actually running Camel in JBoss 5.1.0 using Spring DSL and servlet endpoints. I have an opportunity to introduce camel as an integration technology used in our corporation but I'm having troubles with…

Updated: (AMQ-2514) xa jta activemq jboss - xa transaction not set in session
December 2, 2010 07:11:30 AM
[ https://issues.apache.org/jira/browse/AMQ-2514?page=com.atlassian.jira .plugin.system.issuetabpanels:all-tabpanel ] Dejan Bosanac updated AMQ-2514:

Updated] (AMQ-2514) xa jta activemq jboss - xa transaction not set in session
April 1, 2011 06:26:54 AM
[ https://issues.apache.org/jira/browse/AMQ-2514?page=com.atlassian.jira .plugin.system.issuetabpanels:all-tabpanel ] Gary Tully updated AMQ-2514:

Updated: (AMQ-2514) xa jta activemq jboss - xa transaction not set in session
September 18, 2010 11:48:00 AM
[ https://issues.apache.org/activemq/browse/AMQ-2514?page=com.atlassian. jira.plugin.system.issuetabpanels:all-tabpanel ] Bruce Snyder updated AMQ-2514:

Does resource adapter support session pooling in jboss
October 14, 2010 12:26:40 AM
Hello I need to know whether active mq resource adapter supports session pooling when used in jboss or not. Thanks in advance Alik

cxf 2.3.1 and JBoss 6 problem
April 13, 2011 03:03:10 PM
Hi, I'm trying to deploy my .war file on Jboss 6. It works on Jboss 5.1.0. I was building with CXF 2.2.10 and Spring 3.0.1. Since Jboss 6 uses CXF 2.3.1, I changed the build to use CXF 2.3.1 and Spring 3.0.5. I've also set it so that none of…

Re: cxf 2.3.1 and JBoss 6 problem
June 17, 2011 05:10:51 AM
Hi I've seen a very similar issue recently, which happened during a fairly specific deployment in Karaf on Unix only. Generally speaking, I believe problems like this are always caused by some cl restrictions or bugs or multiple (Spring) libs…

CXF problem on JBoss AS 6
April 11, 2011 10:08:14 AM
Hi, I'm also having trouble deploying a .war file on Jboss AS 6. In this case, the .war file deploys just fine on Jboss 5.1.0. When I drop the .war file in server/default/deploy and start Jboss, I get this error: 0 : 09:59:47,764 [Thread-2]…

Re: Jetty + security + camel servlet
January 4, 2011 04:38:19 PM
Just raised https://issues.apache.org/jira/browse/CAMEL-3490 for that On Mon, Jan 3, 2011 at 18:22, Guillaume Nodet <gno### @gmail.com> wrote: > On Mon, Jan 3, 2011 at 17:55, Charles Moulliard <cmoull### @gmail.com> wrote: >>…

Accessing (session) Manager in servlet
April 27, 2011 03:09:17 PM
Hello everybody! I need to access the Manager from the servlet (or filter) in Tomcat to load the custom session by custom session ID. Answering your next question: why do I need it. There's an old bug in Flash that causes it to send cookies from…

Apache + Mod-jk + Jboss Problem
July 15, 2010 08:23:11 AM
Hi, I have a application using Apache 2.2.15, Mod_jk and Jboss 4.2.1. Apache and Jboss Running fine till now. Suddenly there is an issue of slow browsing and later it stopped serving pages. We moved to backup server and now trying to fix this…

Questions and Answers are licensed under cc-wiki license.

Problem with session security feature of JBoss 6 using servlet 3.0

0 Answers

Be the first to answer this question

Join with account you already have