NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

141

142

143

144

145

146

147

148

149

150

Configuring NSJSP

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

3-63

The context.xml File

useHttpOnly Indicates if the HttpOnly flag is included in the HTTP response

header.

If the HttpOnly flag is included in the HTTP response header,

a cookie cannot be accessed through a client side script when

the browser supports this flag. As a result, even if a cross-site

scripting (XSS) flaw exists, and a user accidentally accesses a

link that exploits this flaw, a browser, such as Internet Explorer

does not reveal the cookie to a third party. If a browser does

not support HttpOnly and a website attempts to set an

HttpOnly cookie, the HttpOnly flag is ignored by the browser,

thus creating a traditional script accessible cookie. As a result,

the session cookie becomes vulnerable to theft or modification

by malicious script. If this attribute is not specified, the default

value is false.

allowLinking If the value of this flag is true, symlinks will be allowed inside

the web application, pointing to resources outside the web

application base path. If this attribute is not specified, the

default value is false.

It is suggested that the value of this attribute be set to false.

Setting this to false instructs the NSJSP servlet container to

check if the resource belongs to the application base. If this is

set to true, an application can reference resources outside its

base directory which could prove to be a security risk in some

cases. A good practice is to limit the application references to

only those resources that are under its base directory.

antiJARLocking The default value is false and it is suggested to always keep

this value set to false. This will be used in those platforms

where access to an application resource like a JAR file ends in

file locks. An example would be if

URLClassLoader.getResource() accessed a JAR file,

that could lead to the jar file getting locked. Such a situation

does not occur on NonStop so the value should be set to

false.

antiResourceLocking The default value is set to false and it is suggested that it be

kept set to false. If set to true, the NSJSP servlet

container copies each application into a separate directory in

the temp folder. This is meant for those platforms that lock file

resources when accessing them. Setting this to true will

result in significant startup times.

cacheMaxSize Maximum size of the static resource cache in kilobytes. If not

specified, the default value is 10240 (10 megabytes).

Note. It is suggested that web application static resources be

served by the iTP Secure WebServer.

Table 3-17. Attribute List for the Context Element (page 3 of 5)

Attribute Description