在春季引导中将jsessonid cookie设置为SameSite = Strict属性吗?

时间:2018-10-29 11:05:27

标签: java spring-boot security cookies

将jsessionId cookie设置为SameSite = Strict的spring-boot配置是什么。

JsessionId需要添加SameSite = Strict或现有cookie,而不是新的cookie生成。它支持吗?

3 个答案:

答案 0 :(得分:2)

使用 Undertow 2.1.0.Final 和更高版本,您可以这样做:

public static final String COOKIE_PATTERN = "JSESSIONID";

@Bean
public UndertowServletWebServerFactory undertowServletWebServerFactory() {
    UndertowServletWebServerFactory undertow = new UndertowServletWebServerFactory();
    
    undertow.addDeploymentInfoCustomizers(
            deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(
                    handler -> new SameSiteCookieHandler(handler, CookieSameSiteMode.STRICT.name(), COOKIE_PATTERN)
            ));
    
    return undertow;
}

答案 1 :(得分:1)

根据this open issue in Spring Security,尚不支持此功能。

答案 2 :(得分:0)

我使用Rfc6265CookieProcessor在Spring Boot应用程序中配置SameSite标志作为解决方法。

build.gradle

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-tomcat'
    ...
}

在主类中进行配置:

@Bean
public ServletWebServerFactory servletContainer() {
    return new TomcatServletWebServerFactory() {
        @Override
        protected void postProcessContext(Context context) {
            Rfc6265CookieProcessor rfc6265CookieProcessor = new Rfc6265CookieProcessor();
            rfc6265CookieProcessor.setSameSiteCookies("Strict");
            context.setCookieProcessor(rfc6265CookieProcessor);
        }
    };
}