NonStop Servlets for JavaServer Pages (NSJSP) 7.0 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

151

152

153

154

155

156

157

158

159

160

Configuring NSJSP

NonStop Servlets for JavaServer Pages (NSJSP) 7.0 System Administrator’s Guide—674372-005

3-74

The context.xml File

useHttpOnly Indicates if the HttpOnly flag is included in the HTTP response

header.

If the HttpOnly flag is included in the HTTP response header,

a cookie cannot be accessed through a client side script when

the browser supports this flag. As a result, even if a cross-site

scripting (XSS) flaw exists, and a user accidentally accesses a

link that exploits this flaw, a browser, such as Internet Explorer

does not reveal the cookie to a third party. If a browser does

not support HttpOnly and a website attempts to set an

HttpOnly cookie, the HttpOnly flag is ignored by the browser,

thus creating a traditional script accessible cookie. As a result,

the session cookie becomes vulnerable to theft or modification

by malicious script. If this property is not specified, the default

value is false.

allowLinking If the value of this flag is true, symlinks will be allowed inside

the web application, pointing to resources outside the web

application base path. If this property is not specified, the

default value is false.

It is suggested that the value of this property be set to false.

Setting this to false instructs the NSJSP servlet container to

check if the resource belongs to the application base. If this is

set to true, an application can reference resources outside its

base directory which could prove to be a security risk in some

cases. A good practice is to limit the application references to

only those resources that are under its base directory.

addWebinfClassesRes

ources

This property controls if, in addition to static resources being

served from META-INF/resources inside web application

JAR files, static resources are also served from WEB-

INF/classes/META-INF/resources. This only applies to

web applications with a major version of 3 or higher. Since this

is a proprietary extension to the Servlet 3 specification, it is

disabled by default. To enable this feature, set the property to

true.

antiJARLocking The default value is false and it is suggested to always keep

this value set to false. This will be used in those platforms

where access to an application resource like a JAR file ends in

file locks. An example would be if

URLClassLoader.getResource() accessed a JAR file,

that could lead to the jar file getting locked. Such a situation

does not occur on NonStop so the value should be set to

false.

Table 3-17. Property List for the Context Element (page 4 of 6)

Property Description