users@glassfish.java.net

Re: JSESSIONIDSSO and HTTPS

From: Jamey Wood <Jamey.Wood_at_sun.com>
Date: Tue, 30 Oct 2007 15:21:46 -0600

Hi Jan,

Jan.Luehe_at_sun.com wrote:
> Jamey Wood wrote:
...<snip>...
>> So it appears that the only way to force it into a 'setSecure(false)'
>> case would be if we could force our HttpServletRequest to return
>> false for the isSecure call. I believe that's possible in Tomcat
>> (setting 'secure="false"' in server.xml, as documented at
>> http://tomcat.apache.org/tomcat-5.5-doc/config/http.html).
>
> Sounds like a hack. :)

For this specific scenario, I'd agree. But there might be other cases
where such a setting would be more proper. For example, if your
appserver were accessible only via an HTTPS reverse proxy, you might
want any apps there to see all requests as "secure" even though the
network connection coming directly out of the appserver might just be
simple HTTP.

...<snip>...
> So in summary, there are 2 issues we need to fix in GlassFish:
>
> 1. Consider the "isSecure" cookie property in sun-web.xml.
>
> 2. Consider the cookie-properties from sun-web.xml not only for
> JSESSIONID,
> but also JSESSIONIDSSO cookies.
>
> Does this answer your question?
> If so, please feel free to file an RFE on this.

Yes, thank you. I've filed these RFEs:

 https://glassfish.dev.java.net/issues/show_bug.cgi?id=3822
 https://glassfish.dev.java.net/issues/show_bug.cgi?id=3823

--Jamey