Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable URL Rewriting by default with Servlet 3.0 config #179

Closed
2 tasks done
ikeyat opened this issue Oct 29, 2015 · 3 comments
Closed
2 tasks done

Disable URL Rewriting by default with Servlet 3.0 config #179

ikeyat opened this issue Oct 29, 2015 · 3 comments
Assignees
@ikeyat
Labels
type: improvement
Milestone
5.0.2

Comments

@ikeyat
Copy link
Contributor

ikeyat commented Oct 29, 2015

Description

In general, URL rewriting should be disabled for security reasons.
Spring security has option to disable it.
On the other hand, Servlet 3.0 introduced a configuration to disable URL rewriting in web.xml with following code. It's better to defense at lower layer if possible, so we should apply this to our blank project as default configurations.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <!-- <secure>true</secure> -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Secure attribute can be configured with <secure>true</secure>. But we had better avoid to define it.
The reason is that most enterprise applications decode/encode HTTPS on SSL accelerator, LB or HTTP server. In such cases, the Secure attribute affects and a browser ignores cookie when it is running without them. Application should be independent from infrastructures.

Possible Solutions

Add following config on web.xml.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <!-- <secure>true</secure> -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Affects Version/s

  • 5.0.1.RELEASE
  • 1.0.3.RELEASE

Fix Version/s

  • 5.1.0.RELEASE
  • 5.0.2.RELEASE

Issue Links

Reference Links
@ikeyat ikeyat self-assigned this Oct 29, 2015
@ikeyat ikeyat added this to the 5.1.0 milestone Oct 29, 2015
@ikeyat ikeyat mentioned this issue Oct 29, 2015
Closed
2 tasks
@making
Copy link
Contributor

making commented Oct 29, 2015

How about

<session-config>
    <cookie-config>
        <!-- <secure>true</secure> -->
        <http-only>true</http-only>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

?

@ikeyat
Copy link
Contributor Author

ikeyat commented Oct 29, 2015

@making

It's better so I modified the possible solution.

@making
Copy link
Contributor

making commented Oct 29, 2015

👍

ikeyat added a commit that referenced this issue Oct 29, 2015
@ikeyat
Add config to disable URL rewriting by default #179
adf5375
@ikeyat ikeyat mentioned this issue Oct 29, 2015
Merged
@kazuki43zoo kazuki43zoo modified the milestones: 5.0.2, 5.1.0 Oct 29, 2015
kazuki43zoo added a commit that referenced this issue Oct 29, 2015
@kazuki43zoo
Merge pull request #180 from terasolunaorg/issues/179_disable_url_rew…
323f63f 
…riting_servlet3

Add config to disable URL rewriting by default #179
ikeyat added a commit that referenced this issue Oct 30, 2015
@ikeyat
Add config to disable URL rewriting by default #179
9ac060f 
(cherry picked from commit adf5375)
@ikeyat ikeyat mentioned this issue Oct 30, 2015
Merged
making added a commit that referenced this issue Oct 30, 2015
@making
Merge pull request #182 from terasolunaorg/issues/179_disable_url_rew…
117f427 
…riting_servlet3_backport_5.0.x

Add config to disable URL rewriting by default #179
@making making closed this as completed Oct 30, 2015
This was referenced Oct 30, 2015
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikeyat ikeyat

Labels
type: improvement
Projects
None yet
Milestone
5.0.2
Development

No branches or pull requests
3 participants
@making @kazuki43zoo @ikeyat