In our build process we try to keep the resulting artifacts (e.g. ear or war files) environment independent so that we can easily deploy the same artifact in different environments. One problem I stumbled across recently, was the need to configure our web application to set the secure flag on the session cookie. This is done in the packaged web.xml. This post will show an alternative solution for this problem by using the jboss specific jboss-web.