另一種方法,類似於Mark的,是使用了SessionCookieConfig
,但是從JNDI配置設置它在上下文監聽器:
代碼:
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionCookieConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class JndiSessionCookieConfigListener implements ServletContextListener {
private static final Logger logger = LoggerFactory.getLogger(JndiSessionCookieConfigListener.class);
private volatile Context jndiSessionCookieConfig;
private volatile SessionCookieConfig sessionCookieConfig;
@Override
public void contextInitialized(ServletContextEvent sce) {
String listenerName = getClass().getSimpleName();
try {
logger.info("JNDI override session cookie config found for {}", listenerName);
jndiSessionCookieConfig = (Context) new InitialContext().lookup(
"java:comp/env/" + listenerName);
}
catch (NamingException e) {
logger.info("No JNDI override session cookie config found for {}", listenerName);
}
sessionCookieConfig = sce.getServletContext().getSessionCookieConfig();
String comment = getString("comment");
if (comment != null) {
logger.debug("\t[comment]: [{}]", comment);
sessionCookieConfig.setComment(comment);
}
String domain = getString("domain");
if (domain != null) {
logger.debug("\t[domain]: [{}]", domain);
sessionCookieConfig.setDomain(domain);
}
Boolean httpOnly = getBoolean("http-only");
if (httpOnly == null) {
sessionCookieConfig.setHttpOnly(true);
}
else {
logger.debug("\t[http-only]: [{}]", httpOnly);
sessionCookieConfig.setHttpOnly(httpOnly);
}
Integer maxAge = getInteger("max-age");
if (maxAge != null) {
sessionCookieConfig.setMaxAge(maxAge);
}
String name = getString("name");
if (name != null) {
logger.debug("\t[name]: [{}]", name);
sessionCookieConfig.setName(name);
}
String path = getString("path");
if (path != null) {
logger.debug("\t[path]: [{}]", path);
sessionCookieConfig.setPath(path);
}
Boolean secure = getBoolean("secure");
if (secure == null) {
sessionCookieConfig.setSecure(true);
}
else {
logger.debug("\t[secure]: [{}]", secure);
sessionCookieConfig.setSecure(secure);
}
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
}
private Boolean getBoolean(String name) {
Object value;
try {
value = jndiSessionCookieConfig.lookup(name);
if (value instanceof Boolean) {
return (Boolean)value;
}
else {
return Boolean.valueOf(value.toString());
}
}
catch (NamingException e) {
return null;
}
}
private Integer getInteger(String name) {
Object value;
try {
value = jndiSessionCookieConfig.lookup(name);
if (value instanceof Integer) {
return (Integer)value;
}
else {
return Integer.valueOf(value.toString());
}
}
catch (NamingException e) {
return null;
}
}
private String getString(String name) {
Object value;
try {
value = jndiSessionCookieConfig.lookup(name);
return value.toString();
}
catch (NamingException e) {
return null;
}
}
}
web.xml中:
...
<listener>
<listener-class>
org.mitre.caasd.servlet.init.JndiSessionCookieConfigListener
</listener-class>
</listener>
...
在你的context.xml中:
...
<Environment name="JndiSessionCookieConfigListener/secure"
type="java.lang.String"
override="false"
value="true" />
...
這使您可以在部署環境的運行時中設置所有會話Cookie配置。因此,您可以使用相同的webapp(war文件)在本地進行開發(您不會使用https),並且在生產中您會希望使用https。
注意,這種方法在OWASP documentation
提到由於servlet的3 http://docs.oracle.com/javaee/6/api/javax/servlet/SessionCookieConfig.html – 2014-02-07 21:45:37