Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-10451

Configure and test session cookie security config for enterprise containers

    XMLWordPrintable

    Details

      Description

      AT

      • Add session cookie security configuration to Webapps
        • secure flag is disabled
        • http-only flag is enabled
      • For JBoss EAP adjust web.xml as follows:
        <web-app
          version="3.0"
          xmlns="http://java.sun.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
          ...
          <session-config>
            <cookie-config>
              <http-only>true</http-only>
              <secure>false</secure>
            </cookie-config>
          </session-config>
        
      • For WebLogic adjust weblogic.xml as follows:
        <?xml version="1.0" encoding="UTF-8"?>
        <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
        ...
        <session-descriptor>
          <cookie-http-only>true</cookie-http-only>
          <cookie-secure>false</cookie-secure>
        </session-descriptor>
        
      • Add integration test that validates presence of the configuration => this is part of CAM-10447

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tassilo.weidner Tassilo Weidner
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: