将jsessionId cookie设置为SameSite = Strict的spring-boot配置是什么。
JsessionId需要添加SameSite = Strict或现有cookie,而不是新的cookie生成。它支持吗?
答案 0 :(得分:2)
使用 Undertow 2.1.0.Final 和更高版本,您可以这样做:
public static final String COOKIE_PATTERN = "JSESSIONID";
@Bean
public UndertowServletWebServerFactory undertowServletWebServerFactory() {
UndertowServletWebServerFactory undertow = new UndertowServletWebServerFactory();
undertow.addDeploymentInfoCustomizers(
deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(
handler -> new SameSiteCookieHandler(handler, CookieSameSiteMode.STRICT.name(), COOKIE_PATTERN)
));
return undertow;
}
答案 1 :(得分:1)
根据this open issue in Spring Security,尚不支持此功能。
答案 2 :(得分:0)
我使用Rfc6265CookieProcessor在Spring Boot应用程序中配置SameSite标志作为解决方法。
build.gradle :
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-tomcat'
...
}
在主类中进行配置:
@Bean
public ServletWebServerFactory servletContainer() {
return new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
Rfc6265CookieProcessor rfc6265CookieProcessor = new Rfc6265CookieProcessor();
rfc6265CookieProcessor.setSameSiteCookies("Strict");
context.setCookieProcessor(rfc6265CookieProcessor);
}
};
}