[JENKINS-23378] Servlet 3.1

Start declaring servlet 3.1 dependency

[JENKINS-23378] Servlet 3.1
Start declaring servlet 3.1 dependency
8713646a · Kohsuke Kawaguchi · da91c95f · 8713646a · 8713646a · 8713646a
Showing with 9 addition and 31 deletion

core/pom.xml core/pom.xml +2 -2

core/src/main/java/hudson/WebAppMain.java core/src/main/java/hudson/WebAppMain.java +3 -26

war/src/main/webapp/WEB-INF/web.xml war/src/main/webapp/WEB-INF/web.xml +4 -3

未找到文件。
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -243,8 +243,8 @@ THE SOFTWARE.
    </dependency>
    <dependency>
      <groupId>javax.servlet</groupId>
-      <artifactId>servlet-api</artifactId>
-      <version>2.4</version>
+      <artifactId>javax.servlet-api</artifactId>
+      <version>3.1.0</version>
      <scope>provided</scope>
    </dependency>
    <dependency>

--- a/core/src/main/java/hudson/WebAppMain.java
+++ b/core/src/main/java/hudson/WebAppMain.java
@@ -117,7 +117,9 @@ public class WebAppMain implements ServletContextListener {

            installLogger();

-            markCookieAsHttpOnly(context);
+            // Set the session cookie as HTTP only.
+            // See https://www.owasp.org/index.php/HttpOnly for the discussion of this topic in OWASP
+            context.getSessionCookieConfig().setHttpOnly(true);

            final FileAndDescription describedHomeDir = getHomeDir(event);
            home = describedHomeDir.file.getAbsoluteFile();
@@ -254,31 +256,6 @@ public class WebAppMain implements ServletContextListener {
        }
    }

-    /**
-     * Set the session cookie as HTTP only.
-     *
-     * @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a>
-     */
-    private void markCookieAsHttpOnly(ServletContext context) {
-        try {
-            Method m;
-            try {
-                m = context.getClass().getMethod("getSessionCookieConfig");
-            } catch (NoSuchMethodException x) { // 3.0+
-                LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
-                return;
-            }
-            Object sessionCookieConfig = m.invoke(context);
-
-            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
-            Class scc = Class.forName("javax.servlet.SessionCookieConfig");
-            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
-            setHttpOnly.invoke(sessionCookieConfig,true);
-        } catch (Exception e) {
-            LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
-        }
-    }
-
    public void joinInit() throws InterruptedException {
        initThread.join();
    }

--- a/war/src/main/webapp/WEB-INF/web.xml
+++ b/war/src/main/webapp/WEB-INF/web.xml
@@ -23,10 +23,11 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->

-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
-         version="2.4">
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1"
+         metadata-complete="true">
  <display-name>Jenkins v${project.version}</display-name>
  <description>Build management system</description>