]> git.mxchange.org Git - jjobs-war.git/commitdiff
added some http-only configuration to avoid common XSS
authorRoland Haeder <roland@mxchange.org>
Thu, 7 Apr 2016 10:58:16 +0000 (12:58 +0200)
committerRoland Haeder <roland@mxchange.org>
Thu, 7 Apr 2016 10:58:16 +0000 (12:58 +0200)
web/WEB-INF/web.xml

index 467ff549239efeee27b11a95648d04f8e1edb39c..e95cc0a5ca77cb40d27fee51682e12822ab35490 100644 (file)
@@ -1,70 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
-       <description>An application for handling and sending out applications to companies.</description>
-       <display-name>JJobs v1.0</display-name>
-       <context-param>
-               <param-name>javax.faces.PROJECT_STAGE</param-name>
-               <param-value>Development</param-value>
-       </context-param>
-       <servlet>
-               <servlet-name>Faces Servlet</servlet-name>
-               <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
-               <load-on-startup>1</load-on-startup>
-       </servlet>
-       <servlet-mapping>
-               <servlet-name>Faces Servlet</servlet-name>
-               <url-pattern>/faces/*</url-pattern>
-       </servlet-mapping>
-       <session-config>
-               <session-timeout>
-                       30
-               </session-timeout>
-       </session-config>
-       <welcome-file-list>
-               <welcome-file>faces/index.xhtml</welcome-file>
-       </welcome-file-list>
-       <security-constraint>
-               <display-name>LoginConstraint</display-name>
-               <web-resource-collection>
-                       <web-resource-name>loginArea</web-resource-name>
-                       <description>Login area</description>
-                       <url-pattern>/llogin/*</url-pattern>
-               </web-resource-collection>
-               <auth-constraint>
-                       <description>User Authentication</description>
-                       <role-name>user</role-name>
-               </auth-constraint>
-       </security-constraint>
-       <security-constraint>
-               <display-name>AdminConstraint</display-name>
-               <web-resource-collection>
-                       <web-resource-name>admin</web-resource-name>
-                       <description>Administrative area</description>
-                       <url-pattern>/admin/*</url-pattern>
-               </web-resource-collection>
-               <auth-constraint>
-                       <description>Admin authentication</description>
-                       <role-name>admin</role-name>
-               </auth-constraint>
-       </security-constraint>
-       <login-config>
-               <auth-method>FORM</auth-method>
-               <realm-name>Loginbereich / Login area</realm-name>
-               <form-login-config>
-                       <form-login-page>/user/login.xhtml</form-login-page>
-                       <form-error-page>/user/login_error.xhtml</form-error-page>
-               </form-login-config>
-       </login-config>
-       <security-role>
-               <description>A logged-in user that has previously registered himself/herself.</description>
-               <role-name>user</role-name>
-       </security-role>
-       <mime-mapping>
-               <extension>tpl</extension>
-               <mime-type>text/plain</mime-type>
-       </mime-mapping>
-       <security-role>
-               <description>Administrativre rule</description>
-               <role-name>admin</role-name>
-       </security-role>
+    <description>An application for handling and sending out applications to companies.</description>
+    <display-name>JJobs v1.0</display-name>
+    <context-param>
+        <param-name>javax.faces.PROJECT_STAGE</param-name>
+        <param-value>Development</param-value>
+    </context-param>
+    <servlet>
+        <servlet-name>Faces Servlet</servlet-name>
+        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>Faces Servlet</servlet-name>
+        <url-pattern>/faces/*</url-pattern>
+    </servlet-mapping>
+    <session-config>
+        <session-timeout>
+            30
+        </session-timeout>
+        <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
+    </session-config>
+    <welcome-file-list>
+        <welcome-file>faces/index.xhtml</welcome-file>
+    </welcome-file-list>
+    <security-constraint>
+        <display-name>LoginConstraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>loginArea</web-resource-name>
+            <description>Login area</description>
+            <url-pattern>/llogin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <description>User Authentication</description>
+            <role-name>user</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <security-constraint>
+        <display-name>AdminConstraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>admin</web-resource-name>
+            <description>Administrative area</description>
+            <url-pattern>/admin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <description>Admin authentication</description>
+            <role-name>admin</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <login-config>
+        <auth-method>FORM</auth-method>
+        <realm-name>Loginbereich / Login area</realm-name>
+        <form-login-config>
+            <form-login-page>/user/login.xhtml</form-login-page>
+            <form-error-page>/user/login_error.xhtml</form-error-page>
+        </form-login-config>
+    </login-config>
+    <security-role>
+        <description>A logged-in user that has previously registered himself/herself.</description>
+        <role-name>user</role-name>
+    </security-role>
+    <mime-mapping>
+        <extension>tpl</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <security-role>
+        <description>Administrativre rule</description>
+        <role-name>admin</role-name>
+    </security-role>
 </web-app>