Hosting webui on different host

If the application business services and webui are on different hosts, PASOE needs to be configured to allow the JSESSIONID cookies, used by Spring for tracking HTTP session, to be sent to, and used by, the javascript client.

This is done in a couple of configuration files in PASOE.

HttpOnly policy

In <instance>/conf/web.xml, make sure to add or edit the session-config element. The http-only element must be false.

    <!-- USER EDIT: uncomment the <session-config> element below to
         control these HTTP session run-time attributes.

        <http-only> {true|false} Block cookie access to JavaScript
        <secure>    {true|false} Require HTTPS for transmitting cookie
        <tracking-mode> {COOKIE|URL|SSL} How session id communicated to client
        <session-timeout> {minutes}  How many minutes for a session to be
                    idle before deletion
    -->
    <session-config>
        <cookie-config>
            <http-only>false</http-only>
            <secure>false</secure>
        </cookie-config>
    </session-config>

SameSite policy

In <instance>/webapps/<webapp>/META-INF/context.xml , add the following directive to the <Context> element. This is to set a value for the cookies' SameSite attribute. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie for allowed values.

<CookieProcessor sameSiteCookies="None" />

This value may also be set in the <instance>/conf/context.xml , which will use the same policy for all the instance’s webapps.