JAX-RS in Java
JAX-RS is an important technology/standard/specification in the JavaEE family. Version 1.1 is included in Java EE 6. JAX-RS enables Java applications to become REST enabled.
Currently JAX-RS v2.0 specification work is under development in the JCP.
This is a non-standard flag in the cookie standard. But all the major browser implementations support this. So it is important for all Java server runtimes and frameworks that deal with cookies to support HttpOnly.
JavaEE6 has support for HttpOnly via the Servlet3 specification as well as support for configuration in the web.xml cookie-config xml element.
JAX-RS 2.0 has been updated to incorporate HttpOnly flag in the NewCookie class (http://lists.jboss.org/pipermail/security-dev/2013-February/000783.html) Thanks to Bill Burke. [ Bill Burke created a JIRA issue with the spec: http://java.net/projects/jax-rs-spec/lists/issues/archive/2013-02/message/0 )]
HttpOnly in JAX-RS
For Jax-RS 1.1 (included in Java EE 6), you will need to do something like the following:
NewCookie cookie = new NewCookie(...);
Response response = Response.ok().header("Set-Cookie", cookie.toString()+ ";HttpOnly").build();
RESTEasy project has ServerResponse that extends JAX-RS Response class. This class is very important for pre and post processing interceptors.