Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Problem with session security feature of JBoss 6 using servlet 3.0

We migrated our application from JBoss 5 to JBoss6 and one of the main reasons for this is to make use of the new features of servlet 3.0. Everything works fine apart from one new feature of JBoss 6 and servlet 3.0: setting the session cookie to only be transferred through secure channel even if the request was made through plain HTTP. This is a very important security feature for us and is achieved by adding

<secure>true</secure>

in web.xml. This is part of our web.xml:

<session-config>
<session-timeout>25</session-timeout>
<cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>

When we remove the

<secure>true</secure>

everything works fine. When it is there, there is a new jsessionid generated for each request even when being on a secure page (HTTPS) or in an unsecured page (HTTP). Also, the login does not work since after login with secure credentials the user is redirected back to the login page.

I suppose this might be also an issue with Tomcat 7 since it also uses the servlet 3.0 spec. Any advice would be much appreciated.

Regards

like image 796
Alex Avatar asked Jun 25 '11 18:06

Alex


People also ask

Is JBoss secure?

Configuring web security. By default, web applications aren't secured. If you write a web application and deploy it to the application server without configuring security, anybody can access any URL relative to your application's context path. JBoss Web Server is also insecure by default.

What are the different types of services provided by the JBoss server?

1. Core services : These are the services that provide scripts to start the server and provide the basic functionality of the start-up scripts. 2. Logging Service : These are the services that are used for logging on the server and using the configuration setting to modify and create it.

What is JBoss and why it is used?

JBoss EAP includes everything needed to build, run, deploy, and manage enterprise Java applications in a variety of environments, including on-premise, virtual environments, and in private, public, and hybrid clouds. JBoss EAP is based upon the popular open source project WildFly.


1 Answers

According to the HTTP Specification:

Secure

Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie.

The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents.

It means that specification leaves it open to the browser (user agent) to defined what is "secure".

The Secure element in the web.xml is a reference for the HTTP Cookie Secure property, and you can track that value with your browser's debug tool.

If the communication is not "secure", the browser won't send the received cookie to the server on the following requests.

The problem is not JBoss always returning new cookies, but the browser that is not sending it back because communiation is unsecure. JBoss then creates a new session for every request.

It is very clear that for non-encrypted communication (not HTTPS) the browser won't send the cookie, this is expected since you are marking the cookie as secure = true.

But, even if you are using HTTPS, the "secure" is relative to the browser concept of security, for example:

  • Certificate can be expired
  • Certificate is self-signed
  • You are using a hostname different from the one who signed the certificate

These and other security problems can happen using TLS, meaning the communication is not secure.

The problem must be with your SSL/TLS or Cookie configuration, which means you have to check what you have done and isole the problem. I don't think there is any bug in JBoss or JBossWeb (Tomcat 6 fork) causing it, and for sure it is not a specification error.

I was able to configure a JBoss 6.1.0 Final with TLS and with your web.xml configuration, and everything worked as expected.

I suggest you to double-check your configuration, browser debug and alerts.

like image 164
Evandro Pomatti Avatar answered Oct 21 '22 20:10

Evandro Pomatti