How to Customize Web.xml

Questions
1

As part of a recent pen test one of the findings was that the JSESSIONID cookie has the Secure property set to false. This is because we use a reverse proxy in front of the Servoy Apache site and the reverse proxy uses http to the internal Servoy site.

One solution seems to be updating the Web.xml file with the following to force the Secure property to true:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

Since the Web.xml file is generated with the .war file, is there a way to get the session-config section added to the Web.xml file when building the .war?

2

While you cannot add sections to the file, you can give the whole web.xml (grab the “wrong” one, save it local, add the section) and add it as a parameter with -webXmlFileName

It has to be a file that matches the version of Servoy, but you get a warning on build.

I successfully built a version using a modified web.xml with this script (on a mac, you need to change some stuff on windows to make it run on powershell)

#!/bin/zsh
USER='admin'
PASS='admin'
SERVOY_HOME='/home/ServoyHome'
LOG4J_CONFIG='<path>/log4j2-graylog-ede-intern.xml'
SERVOY_PROPERTIES='<path>/servoy_server-inmem.properties'
CONTEXT_FILE='<path>/context.xml'
WORKSPACE_DIR='<path>'
OUTPUT_PATH='<path>/'
SERVER_DIR='<path>/'
WEB_XML='<path>/web.xml'
DATUM=`date +%Y%m%d-%H%M%S`
OUTPUT_FILE=<AppName>##$DATUM

<servoy-path>/Contents/Eclipse/exporter/war_export.sh  \
  -data "$WORKSPACE_DIR" \
  -s <solution> \
  -warFileName $OUTPUT_FILE \
  -o "$OUTPUT_PATH" \
  -pfw "$SERVOY_PROPERTIES" \
  -as "$SERVER_DIR" \
  -defaultAdminUser "$USER" \
  -defaultAdminPassword "$PASS" \
  -crefs all \
  -srefs all \
  -updateSequences \
  -allowSQLKeywords \
  -allowDataModelChanges "<DB-Names>" \
  -md \
  -checkmd \
  -i18n \
  -users \
  -tables \
  -ie \
  -active true \
  -doNotOverwriteDBServerProperties \
  -allowSQLKeywords \
  -skipDatabaseViewsUpdate \
  -allowDataModelChanges true \
  -importUserPolicy 1 \
  -upgradeRepository \
  -overrideSequenceTypes \
  --overrideDefaultValues \
  -contextFileName "$CONTEXT_FILE" \
  -useAsRealAdminUser \
  -log4jConfigurationFile "$LOG4J_CONFIG" \
  -userHomeDirectory "$SERVOY_HOME" \
  -webXmlFileName "$WEB_XML"
3

Thanks Robert. Replacing the web.xml shouldn’t be a big deal since I’m only adding a small section and not modifying any default content. I’ll try it out this week.