For security compliance, http-only and secure cookies may need to be enabled within Wildfly. The instructions below cover how to enable the http-only and secure cookie settings. Running a deploy will not revert this change.
- Navigate to the following directory within your Infogix server:
<install-dir>/wildfly/<jvm-name>/configuration
<jvm-name> refers to the JVM/config name chosen during installation. This is commonly IA, II, IV, ER or default. - Edit the standalone-full-ha.xml file
- Add the following property to the single-sign-on tag within the "default-host" host tag:
http-only="true" secure="true"
And add the following line within the undertow subsystem's default servlet container:
<session-cookie http-only="true" secure="true"/>
For example, the relevant snippet of the undertow subsystem with both changes would look similar to this:<subsystem xmlns="urn:jboss:domain:undertow:3.1">
...
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp" max-post-size="0" max-parameters="10000"/>
<http-listener name="default" socket-binding="http" max-post-size="0" max-parameters="10000" disallowed-methods="HEAD TRACE OPTIONS" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-post-size="0" max-parameters="10000" disallowed-methods="HEAD TRACE OPTIONS" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on http-only="true" secure="true"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
...
</subsystem> - Restart Wildfly
- If you have multiple JVMs, then these steps will need to be repeated for each JVM directory.
Comments
0 comments
Please sign in to leave a comment.