Develop Reference

IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie

We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test.
Primefaces version is 7.0
Sample Example : https://www.primefaces.org/showcase/ui/data/dataexporter/basic.xhtml
primefaces.download -- this cookies is set when we download a file
We already have session-config in the web.xml , but when i check in chrome the primefaces.download cookie is not set as http-only and secured .
Is there anything else required to be done when running it on JBOSS 7.2?
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
..........
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Updated :
Issue raised
https://github.com/primefaces/primefaces/issues/6040

A Pull Request to fix the issue in 9.0-SNAPSHOT has been submitted.
https://github.com/primefaces/primefaces/pull/6041

Getting localized messages from a jar file

I am currently refactoring common resources (css, images & javascript) of two belonging frontend (web) projects into a separate jar file and it works perfectly fine.
Now I am trying to do the same with localized messages, but I must be missing something, as I only get the keys of the 'default' messages, without localization.
My jar file is structured like this:
faces-util.jar
|--META-INF
|--resources
|--css
|--images
|--js
Putting the messages files directly in the root folder (src/main/resources) it works, but only for the default locale (messages.properties). Localized message files like messages_de.properties are ignored.
Here is my faces-config.xml:
<?xml version='1.0' encoding='UTF-8'?>
<faces-config version="2.2"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_2.xsd">
<application>
<locale-config>
<default-locale>en</default-locale>
<supported-locale>de</supported-locale>
</locale-config>
<resource-bundle>
<base-name>messages</base-name>
<var>msg</var>
</resource-bundle>
</application>
</faces-config>
I tried putting faces-config.xml inside /META-INF or /META-INF/resources but without success.
In the web projects I have the standard config faces-config.xml inside WEB-INF and the messages properties files in /src/main/resources.
What am I doing wrong? Can anybody give me a hint?
Thx in advance

JBoss AS 7.1 Clustering with JSF

I am trying to cluster enable my JSF 2.1 application (mojarra 2.1, Primefaces) on Jboss AS 7.2 (EAP 6.3) And I have researched this issue wihtou being able to find an answer.
I have deployed the application to two nodes and logged into the application. The I shut down the node that was being used and when I try to use the application again, I am directed to a login page. The have printed the session id and it changes when I hit the new node.
I have deployed a sample cluster bench (https://github.com/clusterbench/clusterbench) and the examples all work, with the exception of the JSF sample. The session id is always lost when a node goes down.
My web.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<distributable />
...
</web-app>
My jboss.web.xml is:
<jboss-web version="6.0"
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_6_0.xsd">
<replication-config>
<!-- The default value is SET_AND_NON_PRIMITIVE_GET, therefore the byte array which is carrying the data is considered
non-primitive and would cause replication even in read only scenario. -->
<replication-trigger>SET</replication-trigger>
<!-- Replicating entire session is the default. -->
<replication-granularity>SESSION</replication-granularity>
</replication-config>
<context-root>/sample</context-root>
</jboss-web>

I would like http://localhost:8080/ to have the same effect as accessing http://localhost:8080/basicSetup/index.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web- app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>basic setup</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.faces</welcome-file>
</welcome-file-list>
It should be accessed from domain like www.example.com without showing www.example.com/basicsetup.

It would be wise to go through Tomcat 7 server documentation on the issue, especially the following part, recited below for you (emphasis mine:
The Context element represents a web application, which is run within a particular virtual host. Each web application is based on a Web Application Archive (WAR) file ...
The web application used to process each HTTP request is selected by Catalina based on matching the longest possible prefix of the Request URI against the context path of each defined Context.
You may define as many Context elements as you wish. Each such Context MUST have a unique context name within a virtual host. The context path does not need to be unique (see parallel deployment below). In addition, a Context must be present with a context path equal to a zero-length string. This Context becomes the default web application for this virtual host, and is used to process all requests that do not match any other Context's context path.
So, to sum it up: you need to have <Context path="" ... /> defined as described here.
You can find the needed details in the answer to HOWTO set the context path of a web application in Tomcat 7.0 question.

How to develop https site with Spring 3.x?

I am a newbie in Spring based web development.
Our site is Spring based and is currently http based (so quite insecure).
Since, the site is not live yet, we are sending login/password also through a normal JSON request to server and have focussed mostly on JSP, UI design, SQL queries etc.
Now, we want to shift to focus on security and shift to https as a first step.
I have read a no. of web-pages and some spring books but none seems to provide a clear answer on how Spring can be used to provide https security.
Can some one please help me in achieving the above?
Please let me know if my question is not clear. I will try to add more details ASAP.
Our web.xml is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
"
id="WebApp_ID" version="2.5">
<display-name>Spring3MVC</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<!--> Mapping for serving static web-content <-->
<!--> The resources folder must be in parallel to WEB-INF <-->
<!--> The mvc:resources gives "not bound" exception unless bound to a namespace as above for xmlns:mvc <-->
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:resources mapping="/scripts/**" location="/scripts/" />
</web-app>
There is only one controller right now for which, spring-servlet.xml is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan
base-package="console.controllerpkg" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
Thanks a lot in advance!
P.S. If you can recommend me a good example based site/book on spring, it would be much appreciated. Most of the sites/books I have seen lay much emphasis on theory but very little examples. That has left me a little confused.

As Dave says, you need to configure your container to serve SSL, and then deploy your spring app into that container. Learn about configuring Tomcat for SSL.
Alternately, and more flexibly you can front your container using Apache, and enable SSL there.

Spring is not 100% responsible for configuring SSL. For that you need to configure the container (jetty, tomcat, etc) to handle SSL.

Thanks for all the help guys.
I will re-iterate what I did just for my own record purposes.
First of all, the link provided by nont about 'Tomcat for SSL' was really helpful.
I read all about SSL and Tomcat there and this is what I did:
On the command prompt, enter:
keytool -genkey -alias tomcat -keyalg RSA
The above command asked me some simple questions needed for a Certificate. I used the password 'changeit' wherever asked (as that is the default password).
On finishing with the above command, it generated a keystore file in C:/Documents and Settings//.keystore
I copied this .keystore file to tomcat/conf/myKeyStore.jks
Then I added the following to conf/server.xml :
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200" debug="5"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${catalina.home}/conf/myKeyStore.jks"
keystoreType="JKS" keystorePass="changeit"
truststoreFile="${catalina.home}/conf/cacerts"
truststoreType="JKS" truststorePass="changeit"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
sslProtocol="TLS" />
And that's it!!
Next time, I ran tomcat my old http link did not work.
Then I tried adding sweet 's' to http with a port number of 8443 and lo! everything was up and running again.
Thanks nont for the wonderful link!!

Configure two different web sites, one for http and one for https, the one for http will have just a redirect to the https site.