JBoss AS Logo

In our build process we try to keep the resulting artifacts (e.g. ear or war files) environment independent so that we can easily deploy the same artifact in different environments. One problem I stumbled across recently, was the need to configure our web application to set the secure flag on the session cookie. This is done in the packaged web.xml. This post will show an alternative solution for this problem by using the jboss specific jboss-web.xml and system properties.

In earlier JBoss versions the secure cookie flag could be configured on the server level by editing server/<CONFIG>/deploy/jbossweb.sar/context.xml and adding the following line:

conext.xml
1
<SessionCookie secure="true" httpOnly="true" />

In JBoss 7 there is no server specific configuration for this any more. You have to edit the web.xml file of your web application to contain something like the following:

web.xml
1
2
3
4
5
6
7
<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

As the web.xml is packaged into the artifact during the build process, this setting is effective in every environment the application is deployed to. On our local machines, we do not want to set up certificates and https configuration for the development JBoss. But this setting prevents us from logging in without https because the session cookie was configured to only work via https. Therefore, we needed a solution to make this web.xml setting environment specific without changing the artifact for different environments.

JBoss 7.1 allows property replacements in deployment descriptors like ejb-jar.xml but not in the web.xml. There is a jboss specific jboss-web.xml which can be used to configure some JBoss specific settings. Apart from JBoss specific settings, this file also supports everything you could write in the normal web.xml. And, most importantly, jboss-web.xml supports property replacement. Therefore, you can use the following jboss-web.xml:

jboss-web.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         
 xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_7_1.xsd" version="7.1">                    

    <session-config>
     <session-timeout>120</session-timeout>
     <cookie-config>
         <http-only>true</http-only>
         <secure>${session-config.cookie-config.secure:true}</secure>
     </cookie-config>
     <tracking-mode>COOKIE</tracking-mode>
 </session-config>
</jboss-web>

Now you can define a system property in your standalone.xml as follows to disable the secure flag in your development environment.

jboss-web.xml
1
2
3
<system-properties>
   <property name="session-config.cookie-config.secure" value="false"/>
</system-properties>