Hello I think there may be something wrong with the "secure" flag... Just as with the timeout (https://github.com/ops4j/org.ops4j.pax.web/issues/1912), I may have missed something... Good that there's a workaround for Jetty.
Please create an issue at https://github.com/ops4j/org.ops4j.pax.web/issues specifying the problem - I'll have a look at it soon. regards Grzegorz Grzybek śr., 17 sty 2024 o 10:14 Ivaylo M <i.mi...@gmail.com> napisał(a): > Hi Grzegorz , > > First off, thank you so much for the Pax Web 8 effort. It really helps to > have a proper implementation of the OSGi R6/7 http and whiteboard service > specs. > > Quick question - are the <session-config> and <cookie-config> elements in > web deployment descriptors supported now? I found a note they weren't in > Pax Web 4, but a lot must have changed since. These elements seem to be > ignored in our app. > > Related, I cannot seem to get the session cookie to be configured with the > Secure flag via the org.ops4j.pax.web.cfg file in Karaf 4.4.4. > > Setting org.ops4j.pax.web.session.cookie.secure = true has no effect if > the connector used is http (non-secure). > > In my mind, if org.ops4j.pax.web.session.cookie.secure is set, the flag > should be set in the cookie header, no matter the connector/transport. We > offload TLS at the load balancer, and this use case is rather common. > > I had to use the jetty-web.xml to set the session cookie config secure > flag to true to work around it. > > <Get name="sessionHandler"> > <Get name="sessionCookieConfig"> > <Set name="secure" type="boolean">true</Set> > </Get> > </Get> > > But something is still off, because when I get the SessionConfig via the > ServletContext, the getSessionCookieConfig().isSecure() returns false. > > Before I spend any more time on it, please let me know if there is > something significant that I must be missing. > > Thanks, > Ivaylo > > > > > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - ops4j@googlegroups.com > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ops4j+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/2a45d4a7-d109-43b8-9b3b-416b736f8331n%40googlegroups.com > <https://groups.google.com/d/msgid/ops4j/2a45d4a7-d109-43b8-9b3b-416b736f8331n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- ------------------ OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/CAAdXmho2rmpWFnTMU1kUV_vqbGFHhQAm235jhqV7QDHHNjx6_Q%40mail.gmail.com.
