开发者

Does the Jetty Maven Plugin 8.0.0.M3 support all of Servlet 3?

问答 作者:

I have the following in my web.xml:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
  </cookie-config>
  <session-timeout>15</session-timeout>
  <tracking-mode>COOKIE</tracking-mode>
</sess开发者_JAVA技巧ion-config>

However, according to OWASP's Zed Attack Proxy (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), cookies are still being set by Spring Security w/o the httpOnly or secure flags.

If I deploy the same app in Tomcat 7, it appears to honor these settings from web.xml.

Solution: Put the elements in the correct order:

<session-config>
    <session-timeout>15</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

继续阅读:jettymaven-jetty-pluginservlet-3.0

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9