Does Jetty Maven Plugin 8.0.0.M3 support all servlet 3?

Question

Does Jetty Maven Plugin 8.0.0.M3 support all servlet 3?

I have the following in my web.xml:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
  </cookie-config>
  <session-timeout>15</session-timeout>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

However, according to the OWASP Zed Attack Proxy (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), cookies are still set by Spring Security without httpOnly or secure flags.

If I distribute the same application in Tomcat 7, it seems to respect these settings from web.xml.

+3

jetty servlet-3.0 maven-jetty-plugin

Matt raible Jun 09 '11 at 4:01

source share

1 answer

Matt raible · Accepted Answer · 2012-09-06T20:56:05+0000

Solution: Put the items in the correct order:

<session-config>
    <session-timeout>15</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Does Jetty Maven Plugin 8.0.0.M3 support all servlet 3?

More articles: