Google Site Search

Google
 

Friday, February 1, 2013

JAX-RS and HTTPOnly flag in Cookies

JAX-RS in Java


JAX-RS is an important technology/standard/specification in the JavaEE family. Version 1.1 is included in Java EE 6. JAX-RS enables Java applications to become REST enabled.

Currently JAX-RS v2.0 specification work is under development in the JCP.

HttpOnly Flag


HttpOnly flag in cookies sent from the server have an important behavior on the client side (browser based applications). Javascript applications cannot access the cookies marked with HttpOnly flag.

This is a non-standard flag in the cookie standard.  But all the major browser implementations support this. So it is important for all Java server runtimes and frameworks that deal with cookies to support HttpOnly.

JavaEE6 has support for HttpOnly via the Servlet3 specification as well as support for configuration in the web.xml cookie-config xml element.

JAX-RS 2.0 has been updated to incorporate HttpOnly flag in the NewCookie class (http://lists.jboss.org/pipermail/security-dev/2013-February/000783.html) Thanks to Bill Burke. [ Bill Burke created a JIRA issue with the spec: http://java.net/projects/jax-rs-spec/lists/issues/archive/2013-02/message/0 )]

HttpOnly in JAX-RS


For Jax-RS 1.1 (included in Java EE 6), you will need to do something like the following:

=============
NewCookie cookie = new NewCookie(...);
Response response = Response.ok().header("Set-Cookie", cookie.toString()+ ";HttpOnly").build();
=============

Example: https://github.com/picketlink/picketlink-extensions/blob/master/core/src/main/java/org/picketlink/extensions/core/rest/interceptors/PostSignInCookieInterceptor.java

RESTEasy project has ServerResponse that extends JAX-RS Response class.  This class is very important for pre and post processing interceptors.

References

  1. RESTEasy
  2. JAX-RS discussion on HttpOnly
  3. PicketLink discussion on RESTEasy/HttpOnly