Hello Rui Tang, I am using the web container like apache tomme having the version like *apache-tomee-plus-1.7.1*
I think it is equivalent with apache tomcat with enhanced features having application server behavior as follows Tomcat + Java EE = TomEE On Fri, Jul 10, 2015 at 1:31 PM, Rui Tang <[email protected]> wrote: > It's not about what the version number in web.xml, but the really servlet > version that your container supports. If your container only supports > servlet 2.5, the way you write the web.xml will not work. > > Can you tell me what your web container is? Tomcat or such as Weblogic? > > On Fri, Jul 10, 2015 at 3:55 PM, Nagaraju Kurma < > [email protected]> wrote: > >> Hello Rui Tang, >> >> I am using servlet 3.0 only and my web.xml as follows. >> >> <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi=" >> http://www.w3.org/2001/XMLSchema-instance"; >> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee >> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; >> *version="3.0"*> >> >> Sorry i am not clear to implement this configuration my application as i >> am not running any jetty configuration at all. >> >> Could you please elaborate the explanation towards configuration files to >> hide the JSESSIONID in my simple spring & shiro based web application. >> >> >> >> >> On Fri, Jul 10, 2015 at 12:58 PM, Rui Tang <[email protected]> wrote: >> >>> <session-config> is available for servlet 3.0. If you use web containers >>> that support lower version, you have to config it via container's config. >>> >>> E.g. for jetty, >>> http://www.eclipse.org/jetty/documentation/current/session-management.html >>> >>> On Fri, Jul 10, 2015 at 2:15 PM, Nagaraju Kurma < >>> [email protected]> wrote: >>> >>>> Hello Team, >>>> >>>> Thanks for your valuable time spending. >>>> >>>> *1) Session Fixation* >>>> >>>> Implemented the same as the above link describes, Its working fine but >>>> it is like out side of the framework and not developer friendly. As this is >>>> a high security concern some where we need to have a configuration as part >>>> of shiro only. >>>> >>>> *2) Session Token in url* >>>> >>>> I am having one more question that on first request after session got >>>> started *JSESSIONID *is appending in the url as follows >>>> >>>> >>>> http://localhost:8080/myapp1/anon/login;JSESSIONID=c04cd50c-65fc-4448-9a27-732e6d40dfad >>>> >>>> This is also one of the security concern, How to resolve it? Anybody >>>> having any work around about this? >>>> >>>> I am working with spring & shiro so i tried with the following >>>> configuration but got failed. >>>> >>>> <session-config> >>>> <tracking-mode>COOKIE</tracking-mode> >>>> </session-config> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Fri, Jul 10, 2015 at 11:19 AM, Rui Tang <[email protected]> >>>> wrote: >>>> >>>>> Here's an issue about this problem. >>>>> >>>>> https://issues.apache.org/jira/browse/SHIRO-170 >>>>> >>>>> Even though it hasn't been fixed, but in comment, there's some >>>>> workaround. >>>>> >>>>> On Thu, Jul 9, 2015 at 1:26 PM, Nagaraju Kurma < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Team, >>>>>> >>>>>> Is there any workaround on this? >>>>>> >>>>>> -- >>>>>> >>>>>> Thanks & Regards >>>>>> >>>>>> Nagaraju Kurma >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> 唐睿 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Thanks & Regards >>>> >>>> Nagaraju Kurma >>>> >>> >>> >>> >>> -- >>> 唐睿 >>> >> >> >> >> -- >> >> Thanks & Regards >> >> Nagaraju Kurma >> > > > > -- > 唐睿 > -- Thanks & Regards Nagaraju Kurma
