It has been a while since my last post, but after I received an email from a good friend of mine I though I would share the good news with all of you.
As some of you may already know, there has been an ongoing effort in the AppSec community to get all of the "major" application server vendors to natively support setting the HttpOnly flag on all session cookies that they generate. It is kludgy at best to do it programmatically, and best if the server could just do it for us. Anyway, this feature would add instant security to any application by preventing any scripts on the page (either put their by the developer or by an attacker through XSS) from accessing the current user's cookies. Effectively, this simple feature significantly mitigates the risk of session hijacking through XSS - reflective, persistent, or otherwise. Furthermore, as most application server vendors provide some form of XML configuration file to control the settings applied to session cookies, applications would not even have to make any code changes to get the full benefit of using this feature. A Win - Win scenario in the making.
Up until now, WebLogic Server(WLS) has not supported this feature, although they have supported the Secure flag for a number of releases. Well, now Oracle has now finally come through for us with the latest release of WLS 10.3.1.0.
WLS utilizes a file named weblogic.xml to provide application developers a way to control WebLogic specific aspects of an application's deployment configuration, including the flags and settings placed on the session token. According to the documentation, the proper namespace declaration should reference http://www.bea.com/ns/weblogic/920/weblogic-web-app.xsd. There is only one problem in doing this. This version of the XSD references two other XSDs, none of which provide any way to set the HttpOnly flag! So did Oracle lie? I don't think so. I think they have not gotten around to updating their documentation to reference the proper XSD document. If you use the namespace declaration http://www.oracle.com/technology/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd, this XSD will include another XSD document named http://xmlns.oracle.com/weblogic/weblogic-javaee/1.0/weblogic-javaee.xsd. This is the key to the new option under the session-descriptor tag named cookie-http-only that actually lets you set the HttpOnly flag. Be sure to explicitly set this value to true, as the definition specifies the default value to be false. If you do not have a weblogic.xml file in your WAR or EAR file, the server uses the default value of the tag (FALSE in this case). Just place the file in your WEB-INF directory right next to your web.xml file, and you are off to the races.
I hope this helps, and happy and secure coding.
5 comments:
So where do you download WLS 10.3.1.0? I only found links for 10.3 and I downloaded it just to be sure but it is identical to what I have from last August.
That I am not sure. BEA's website can be confusing, and the 10.3 version that you download may be 10.3.1.0. There is really no way to tell.
In any case, try pointing to the docs I reference and everything "should" work.
I'm pretty sure what I downloaded last night was 10.3.0 (the installer had an identical checksum to the file I previously used to install, which was downloaded in August).
Could you give a sample weblogic.xml file?
I am trying this:
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://www.oracle.com/technology/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
but I am getting this error:
com.bea.xml.XmlException: failed to load java type corresponding to e=weblogic-web-app@http://xmlns.oracle.com/weblogic/weblogic-web-app
at com.bea.staxb.runtime.internal.UnmarshalResult.getPojoBindingType(UnmarshalResult.java:361)
at com.bea.staxb.runtime.internal.UnmarshalResult.determineTypeForGlobalElement(UnmarshalResult.java:316)
at com.bea.staxb.runtime.internal.UnmarshalResult.determineTypeForGlobalElement(UnmarshalResult.java:326)
at com.bea.staxb.runtime.internal.UnmarshalResult.determineRootType(UnmarshalResult.java:307)
at com.bea.staxb.runtime.internal.UnmarshalResult.unmarshalDocument(UnmarshalResult.java:158)
at com.bea.staxb.runtime.internal.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:65)
at weblogic.descriptor.internal.MarshallerFactory$1.createDescriptor(MarshallerFactory.java:141)
See Matt's followup here (he confirms it is not out yet)
and also this
http://forums.oracle.com/forums/thread.jspa?threadID=913079
also it looks like they might name it 11g when it does come out.
Thanks Dan. I actually posted the update just for that reason. Oh well, maybe we will have better luck in the near future.
Post a Comment