Skip to content

Commit 338706f

Browse files
rafaelrpintorafaelrpinto
committed
Added tomcat session tracking config
1 parent da1b51e commit 338706f

File tree

1 file changed

+25
-6
lines changed
  • VulnerableJavaWebApp/src/main/java/com/test/vulnerablejavawebapp/config

1 file changed

+25
-6
lines changed

VulnerableJavaWebApp/src/main/java/com/test/vulnerablejavawebapp/config/AppLauncher.java

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,12 @@
11
package com.test.vulnerablejavawebapp.config;
22

3+
import java.util.Collections;
4+
35
import javax.servlet.Filter;
6+
import javax.servlet.ServletContext;
7+
import javax.servlet.ServletException;
8+
import javax.servlet.SessionCookieConfig;
9+
import javax.servlet.SessionTrackingMode;
410
import javax.sql.DataSource;
511

612
import org.apache.catalina.connector.Connector;
@@ -9,6 +15,7 @@
915
import org.springframework.boot.SpringApplication;
1016
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
1117
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
18+
import org.springframework.boot.context.embedded.ServletContextInitializer;
1219
import org.springframework.boot.context.embedded.tomcat.TomcatConnectorCustomizer;
1320
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
1421
import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -67,6 +74,24 @@ public Filter sessionUserFilter() {
6774
return new SessionUserFilter();
6875
}
6976

77+
public static void main(String[] args) throws Exception {
78+
SpringApplication.run(AppLauncher.class, args);
79+
}
80+
81+
// The following configurations are usally on the application servers and not in the code
82+
// but since we are using spring boot to make things simple we configure via code
83+
@Bean
84+
public ServletContextInitializer servletContextInitializer() {
85+
return new ServletContextInitializer() {
86+
@Override
87+
public void onStartup(ServletContext servletContext) throws ServletException {
88+
servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
89+
SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
90+
sessionCookieConfig.setHttpOnly(true);
91+
}
92+
};
93+
94+
}
7095
@Bean
7196
public EmbeddedServletContainerFactory servletContainer() {
7297
// https config
@@ -75,8 +100,6 @@ public EmbeddedServletContainerFactory servletContainer() {
75100
final String keystoreProvider = "SunJSSE";
76101
final String keystoreAlias = "tomcat";
77102
final String keystoreAbsolutePath = getClass().getClassLoader().getResource("ssl/keystore.p12").getFile();
78-
79-
80103

81104
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
82105
factory.addConnectorCustomizers((TomcatConnectorCustomizer) (Connector con) -> {
@@ -93,8 +116,4 @@ public EmbeddedServletContainerFactory servletContainer() {
93116

94117
return factory;
95118
}
96-
97-
public static void main(String[] args) throws Exception {
98-
SpringApplication.run(AppLauncher.class, args);
99-
}
100119
}

0 commit comments

Comments
 (0)