如何为jsessionid cookie启用相同站点 [英] How to enable samesite for jsessionid cookie

查看:137
本文介绍了如何为jsessionid cookie启用相同站点的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如何为在wildfly上运行的Web应用程序启用相同站点。
已检查 standalone.xml ,但是在其中找不到合适的标记

 < servlet-container name = default> 
< session-cookie http-only = true secure = true /> 
< jsp-config /> 
< / servlet-container>


解决方案

到目前为止,Java Servlet 4.0规范还没有支持SameSite cookie属性。您可以打开 javax.servlet.http.Cookie来查看可用属性。 java类。


但是,有两种解决方法。您可以手动覆盖Set-Cookie属性。


第一种方法(使用Spring的AuthenticationSuccessHandler):

  import java.io.IOException; 
 import java.util.Collection; 
 
 import javax.servlet.http.HttpServletRequest; 
 import javax.servlet.http.HttpServletResponse; 
 
导入org.springframework.http.HttpHeaders; 
 import org.springframework.security.core.Authentication; 
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler; 
 
公共类AuthenticationSuccessHandlerImpl实现AuthenticationSuccessHandler {
 
 @Override 
 public void onAuthenticationSuccess(HttpServletRequest请求,HttpServletResponse响应,身份验证身份验证)引发IOException {
 addSameSiteCookieAttribute(响应); //将SameSite = strict添加到Set-Cookie属性
 response.sendRedirect( / hello); //成功后重定向到hello.html auth 
} 
 
私人无效addSameSiteCookieAttribute(HttpServletResponse response){
 Collection< String>标头= response.getHeaders(HttpHeaders.SET_COOKIE); 
 boolean firstHeader = true; 
 for(String header:headers){//可以有多个Set-Cookie属性
 if(firstHeader){
 response.setHeader(HttpHeaders.SET_COOKIE,String.format(% s;%s,标题, SameSite = Strict)); 
 firstHeader = false; 
继续; 
} 
 response.addHeader(HttpHeaders.SET_COOKIE,String.format(%s;%s,标头, SameSite = Strict))); 
} 
} 
}

第二种方法(使用javax.servlet.Filter ):

  import java.io.IOException; 
 import java.util.Collection; 
 
 import javax.servlet.FilterChain; 
 import javax.servlet.FilterConfig; 
 import javax.servlet.ServletException; 
 import javax.servlet.ServletRequest; 
 import javax.servlet.ServletResponse; 
 import javax.servlet.http.HttpServletResponse; 
 
导入org.springframework.http.HttpHeaders; 
 
公共类SameSiteFilter实现javax.servlet.Filter {
 @Override 
 public void init(FilterConfig filterConfig)抛出ServletException {
 
} 
 
 @Override 
 public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)引发IOException,ServletException {
 chain.doFilter(request,response); 
 addSameSiteCookieAttribute((HttpServletResponse)response); //添加SameSite = strict cookie属性
} 
 
私有无效addSameSiteCookieAttribute(HttpServletResponse response){
 Collection< String>标头= response.getHeaders(HttpHeaders.SET_COOKIE); 
 boolean firstHeader = true; 
 for(String header:headers){//可以有多个Set-Cookie属性
 if(firstHeader){
 response.setHeader(HttpHeaders.SET_COOKIE,String.format(% s;%s,标题, SameSite = Strict)); 
 firstHeader = false; 
继续; 
} 
 response.addHeader(HttpHeaders.SET_COOKIE,String.format(%s;%s,标头, SameSite = Strict))); 
} 
} 
 
 @Override 
 public void destroy(){
 
} 
}

您可以查看此演示项目,有关org.springframework.security.web.authentication.AuthenticationSuccessHandler或javax.servlet.Filter的配置的更多详细信息。


WebSecurityConfig 包含所有必需的配置。


不能保证使用addHeader可以正常工作,因为基本上
Servlet容器负责管理Session和Cookie的创建。对于
的示例,如果您在
响应主体中返回JSON,则这两种方法均无效,因为应用程序服务器将在刷新响应期间覆盖Set-Cookie
标头。但是,在成功通过
身份验证后将用户重定向到另一个页面的情况下,上述方法将可以使
起作用。

How can I enable samesite for my web application which runs on wildfly as. Checked standalone.xml however could not find an appropriate tag within

<servlet-container name="default">
    <session-cookie http-only="true" secure="true"/>
    <jsp-config/>
</servlet-container>

解决方案

As for now the Java Servlet 4.0 specification doesn't support the SameSite cookie attribute. You can see available attributes by opening javax.servlet.http.Cookie java class.

However, there are a couple of workarounds. You can override Set-Cookie attribute manually.

The first approach (using Spring's AuthenticationSuccessHandler):

import java.io.IOException;
import java.util.Collection;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.http.HttpHeaders;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

public class AuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
        addSameSiteCookieAttribute(response);    // add SameSite=strict to Set-Cookie attribute
        response.sendRedirect("/hello"); // redirect to hello.html after success auth
    }

    private void addSameSiteCookieAttribute(HttpServletResponse response) {
        Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
        boolean firstHeader = true;
        for (String header : headers) { // there can be multiple Set-Cookie attributes
            if (firstHeader) {
                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
                firstHeader = false;
                continue;
            }
            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
        }
    }
}

The second approach (using javax.servlet.Filter):

import java.io.IOException;
import java.util.Collection;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.springframework.http.HttpHeaders;

public class SameSiteFilter implements javax.servlet.Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
        addSameSiteCookieAttribute((HttpServletResponse) response); // add SameSite=strict cookie attribute
    }

    private void addSameSiteCookieAttribute(HttpServletResponse response) {
        Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
        boolean firstHeader = true;
        for (String header : headers) { // there can be multiple Set-Cookie attributes
            if (firstHeader) {
                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
                firstHeader = false;
                continue;
            }
            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
        }
    }

    @Override
    public void destroy() {

    }
}

You can look at this demo project on the GitHub for more details on the configuration for org.springframework.security.web.authentication.AuthenticationSuccessHandler or javax.servlet.Filter.

The WebSecurityConfig contains all the necessary configuration.

Using addHeader is not guaranteed to work because basically the Servlet container manages the creation of the Session and Cookie. For example, both approaches won't work in case you return JSON in response body because application server will overwrite Set-Cookie header during flushing of response. However, above approaches will work in cases, when you redirect a user to another page after successful authentication.

这篇关于如何为jsessionid cookie启用相同站点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆