Details
Description
AT
- Add session cookie security configuration to Webapps
- secure flag is disabled
- http-only flag is enabled
- For JBoss EAP adjust web.xml as follows:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> ... <session-config> <cookie-config> <http-only>true</http-only> <secure>false</secure> </cookie-config> </session-config>
- For WebLogic adjust weblogic.xml as follows:
<?xml version="1.0" encoding="UTF-8"?> <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd"> ... <session-descriptor> <cookie-http-only>true</cookie-http-only> <cookie-secure>false</cookie-secure> </session-descriptor>
- Add integration test that validates presence of the configuration => this is part of CAM-10447