JasperReports Server uses cookies in several ways:
• | userTimezone and userLocale to store user settings |
• | Other UI settings such as "Recently Viewed Resources" and "Popular Resources" on the home page and data source page history. The cookie names for those resources are homePageRecentlyViewedResourcesExpandableListState, homePagePopularLinksExpandableListState, and DataSourceControllerHistory. |
The JSESSIONID cookie is managed by the application server, so its security setting depends on your app server configuration.
Jaspersoft doesn't set the secure flag on these cookies because we don't want to force you to use secure connections. If you want all cookies to be secure, you must customize the source files that create the cookies. This requires the source code distribution and recompiling and building the server app, as described in the TIBCO JasperReports Server Source Build Guide.
To customize JasperReports Server so cookies are sent only via secure connections:
1. | For the time zone and locale cookies, open the following file to edit: |
jasperserver-war-jarsrcmainjavacomjaspersoftjasperserverwarUserPreferencesFilter.java
2. | Locate the following code in 2 locations, one for each cookie, and add the middle line to both: |
For more information, see the JavaDoc for the setSecure method on the javax.servlet.http.Cookie class.
3. | For the cookies set in JavaScript (homePageRecentlyViewedResourcesExpandableListState and homePagePopularLinksExpandableListState), edit the following file: |
jasperserver-warsrcmainwebappscriptshomeutilcookie.js
4. | Locate the following line: |
document.cookie = updatedCookie;
Modify the line as follows:
document.cookie = updatedCookie + ";secure;";
5. | Edit the following file: |
jasperserver-warsrcmainwebappscriptsruntime_dependenciesjrs-uisrcutils.common.js
6. | Located the following line: |
return _.template('{{- name}}={{- value}}; expires={{- expires}}; path=/;')
Modify the line as follows:
return _.template('{{- name}}={{- value}}; expires={{- expires}}; path=/;secure;')
7. | To redeploy the JavaScript files, you will need to optimize and implement them as described in section "Customizing JavaScript Files" in the TIBCO JasperReports Server Ultimate Guide. The optimized scripts are the ones that are served by JasperReports Server by default. |
8. | Recompile, rebuild, and redeploy the JasperReports Server application. |
This acts only on the cookies. Providing a secure connection is up to the client application, usually by configuring and establishing an HTTPS connection, as described in Enabling SSL in Tomcat. If no secure connection is established, the cookies with the secure flag will not be sent and user settings won’t take effect.
Recommended Comments
There are no comments to display.