Skip to content
Permalink
Browse files
[JENKINS-23378] Servlet 3.1
Start declaring servlet 3.1 dependency
  • Loading branch information
kohsuke committed Feb 25, 2016
1 parent da91c95 commit 8713646a47b964f9b25d6eb1f7ee610cc5686404
Showing with 9 additions and 31 deletions.
  1. +2 −2 core/pom.xml
  2. +3 −26 core/src/main/java/hudson/WebAppMain.java
  3. +4 −3 war/src/main/webapp/WEB-INF/web.xml
@@ -243,8 +243,8 @@ THE SOFTWARE.
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.4</version>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
@@ -117,7 +117,9 @@ public Locale get() {

installLogger();

markCookieAsHttpOnly(context);
// Set the session cookie as HTTP only.
// See https://www.owasp.org/index.php/HttpOnly for the discussion of this topic in OWASP
context.getSessionCookieConfig().setHttpOnly(true);

final FileAndDescription describedHomeDir = getHomeDir(event);
home = describedHomeDir.file.getAbsoluteFile();
@@ -254,31 +256,6 @@ public void run() {
}
}

/**
* Set the session cookie as HTTP only.
*
* @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a>
*/
private void markCookieAsHttpOnly(ServletContext context) {
try {
Method m;
try {
m = context.getClass().getMethod("getSessionCookieConfig");
} catch (NoSuchMethodException x) { // 3.0+
LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
return;
}
Object sessionCookieConfig = m.invoke(context);

// not exposing session cookie to JavaScript to mitigate damage caused by XSS
Class scc = Class.forName("javax.servlet.SessionCookieConfig");
Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
setHttpOnly.invoke(sessionCookieConfig,true);
} catch (Exception e) {
LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
}
}

public void joinInit() throws InterruptedException {
initThread.join();
}
@@ -23,10 +23,11 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
-->

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1"
metadata-complete="true">
<display-name>Jenkins v${project.version}</display-name>
<description>Build management system</description>

0 comments on commit 8713646

Please sign in to comment.