Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 2.0.0
-
Fix Version/s: None
-
Component/s: Security
-
Labels:None
Description
Need to ensure that cart cookie is not tampered with by client side script
To do this we need servlet 3.0 API (which is available in Tomcat 7)
Here is a guide: http://www.brucephillips.name/blog/index.cfm/2011/2/2/Maven-Servlet-30-and-Tomcat-7
Servlet 3.0 API seems not to be officially in maven, so it needs to be downloaded from either:
javaee-web-api repo:
<repositories>
<repository>
<id>maven-repository.dev.java.net</id>
<name>java.net Maven Repository</name>
<url>http://download.java.net/maven/2</url>;
</repository>
</repositories>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-web-api</artifactId>
<version>6.0</version>
<scope>provided</scope>
</dependency>
Or we can use tomcat7 (must use provided, so it is not bundled with the war)
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-servlet-api</artifactId>
<version>7.0.26</version>
<scope>provided</scope>
</dependency>