Back in April I was very excited. According to Oracle’s website they now supported the HttpOnly flag. I even wrote a post praising them about it here. Well, it appears that my praise was a little premature.
In my previous post, I reference several documents on the Oracle/BEA website that clearly state they support HttpOnly. For those that do not want to bother with finding the links in the old post, here they are:
http://www.oracle.com/technology/weblogic/index.html
http://www.oracle.com/technology/weblogic/wls_10.3.1.0.html
http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd
http://www.oracle.com/technology/weblogic/weblogic-javaee/1.0/weblogic-javaee.xsd
If you follow those links you will eventually come to the last one where it clearly states in the XSD:
<!-- Mark the session cooke as HttpOnly; default=false -->
<xsd:element name="cookie-http-only" type="true-falseType"
minOccurs="0" />
Ok, so the default is false, but they support it right? Not exactly. It seems that this feature is only supported in version 10.3.1.0. So what is the problem? You can’t download 10.3.1.0! This version is nowhere to be found on their site. The version that is downloadable is 10.3, which when you configure your weblogic.xml file, causes the deployment to fail with the following exceptions even though the docs state otherwise:
<Jun 16, 2009 3:33:12 PM CDT> <Error> <J2EE> <BEA-160197> <Unable to load descriptor C:\.../WEB-INF/weblogic.xml of module NewWebLogic.war. The error is weblogic.descriptor.DescriptorException: Unmarshaller failed
at weblogic.descriptor.internal.MarshallerFactory$1.
createDescriptor(MarshallerFactory.java:147)
at weblogic.descriptor.DescriptorManager.createDescriptor
(DescriptorManager.java:280)
at weblogic.descriptor.DescriptorManager.createDescriptor
(DescriptorManager.java:248)
at weblogic.application.descriptor.AbstractDescriptorLoader2.
getDescriptorBeanFromReader(AbstractDescriptorLoader2.java:749)
at weblogic.application.descriptor.AbstractDescriptorLoader2.
createDescriptorBean(AbstractDescriptorLoader2.java:378)
...
Caused by: com.bea.xml.XmlException: failed to load java type
corresponding to e=weblogic-web-app@
http://www.bea.com/ns/weblogic/weblogic-web-app
at com.bea.staxb.runtime.internal.UnmarshalResult.
getPojoBindingType(UnmarshalResult.java:325)
at com.bea.staxb.runtime.internal.UnmarshalResult.
determineTypeForGlobalElement(UnmarshalResult.java:292)
at com.bea.staxb.runtime.internal.UnmarshalResult.
determineTypeForGlobalElement(UnmarshalResult.java:302)
at com.bea.staxb.runtime.internal.UnmarshalResult.
determineRootType(UnmarshalResult.java:283)
at com.bea.staxb.runtime.internal.UnmarshalResult.
unmarshalDocument(UnmarshalResult.java:153)
at com.bea.staxb.runtime.internal.UnmarshallerImpl.
unmarshal(UnmarshallerImpl.java:65)
at weblogic.descriptor.internal.MarshallerFactory$1.
createDescriptor(MarshallerFactory.java:136)
... 33 more
.>
Well, for those that read my previous post and were given any hope
whatsoever, I humbly apologize. I hope that in the near future Oracle
will release 10.3.1.0, or fix their documentation to accurately reflect
what is actually supported.
2 comments:
Matt, thanks for fighting the HTTPOnly fight! Good work in verifying this so carefully.
Oracle WebLogic Server 11g Release 1 (10.3.1) is finally out [apparently they have adopted Sun’s lovely naming scheme since they are marketing 10.3.1 as 11g].
Post a Comment