How to configure grails and shiro to mark cookies secure?

Question

I'm using Grails 2.2.4 with the Shiro plugin 1.1.4 and would like to mark the cookies as secure so the session information won't be sent over http.

I'm looking for the grails way to set this setting, which normally would be in shiro.ini

securityManager.sessionManager.sessionIdCookie.secure = true

Open JIRA issue to track this: http://jira.grails.org/browse/GPSHIRO-76

Jay Prall · Answer 1 · 2013-10-28T23:52:40.853

Another option is to patch sessionCookieConfig off of the servletContext in BootStrap:

class BootStrap {
    def init = { servletContext ->
        servletContext.sessionCookieConfig.secure = true
    }
}

Note: The option causes grails 2.2.4 integration tests to fail with an AbstractMethodError.

 Error Error executing script TestApp: org.springframework.mock.web.MockServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig; 
java.lang.AbstractMethodError: org.springframework.mock.web.MockServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig;
    at BootStrap$_closure1.doCall(BootStrap.groovy:44)
    at grails.util.Environment.evaluateEnvironmentSpecificBlock(Environment.java:308)
        ...

Note that SessionCookieConfig is available in servlet version 3.0 — Jay Prall, Nov 10 '13 at 22:58

score 2 · Answer 2 · answered Oct 25 '13 at 22:02

2

You can set this through the shiroSecurityManager bean. For example, in BootStrap:

def shiroSecurityManager

def init = { servletContext ->
    shiroSecurityManager.sessionManager.sessionIdCookie.secure = true
    ...
}

answered Oct 25 '13 at 22:02

ataylor

64,891
24
161
189

I tried this and it produced an error: `Message: No such property: sessionIdCookie for class: org.apache.shiro.web.session.mgt.ServletContainerSessionManager` – Jay Prall Oct 25 '13 at 23:14
Ok, I think you need to override the type of the session manager. See this question: http://stackoverflow.com/questions/8633910/shiro-grails-plugin-config – ataylor Oct 26 '13 at 04:19

score 1 · Answer 3 · answered Nov 28 '13 at 19:28

You can put your ini settings in the following block In Config.groovy:

   security {
     shiro {
        filter.config = """
                       [main]your ini settings
                       [urls]your ini settings 
                       """
     }
   }

score 0 · Accepted Answer · answered Oct 28 '13 at 21:29

Install the templates in your application if you don't already have them. grails install-templates
Edit src/templates/war/web.xml so that it has session-config with cookie-config in it:

    <session-config>
        <cookie-config>
            <secure>true</secure>
        </cookie-config>
    </session-config>

How to configure grails and shiro to mark cookies secure?

4 Answers4