如何在Spring Boot 2.1.0中登录时在Set-Cookie标头上禁用HttpOnly标志

时间:2019-03-16 12:41:40

标签: spring spring-boot tomcat spring-security tomcat8

我在禁用set-cookie标头上的httpOnly标志时遇到问题。当在响应中发回JSESSIONID时,这主要是登录时的问题。请注意,这是在AWS EBS上部署的tomcat服务器上。

以下任何配置在本地均可正常运行,但在部署时无法正常运行。

我尝试了以下解决方案,但似乎没有任何作用

application.yml配置

server:  
  servlet:
    session:
      cookie:
        http-only: false

Servlet上下文初始化器

@Bean
open fun servletContextInitializer(): ServletContextInitializer {
    return ServletContextInitializer { servletContext ->
        servletContext.setSessionTrackingModes(setOf(SessionTrackingMode.COOKIE))
        val sessionCookieConfig = servletContext.sessionCookieConfig
        sessionCookieConfig.isHttpOnly = false
    }

WebServerFactoryCustomizer 

@Bean
open fun tomcatCustomizer(): WebServerFactoryCustomizer<TomcatServletWebServerFactory> {
    return WebServerFactoryCustomizer { tomcat ->
        tomcat
            .addContextCustomizers(TomcatContextCustomizer { context -> context.useHttpOnly = false })
    }

web.xml 

    <session-config>
      <cookie-config>
        <http-only>false</http-only>
      </cookie-config>
    </session-config>

示例请求标头

Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: 
Authorization: Bearer null
Content-Type: application/json
Content-Length: 58
Origin: 
Connection: keep-alive
TE: Trailers

示例响应标题

HTTP/2.0 200 OK
date: Sat, 16 Mar 2019 14:11:58 GMT
set-cookie: AWSALB=qBpX9uFjtkP4H7gyJ3EXL8na0a7aARiEN/twi0cc2sPywvbysKXXaNfQbe8HaS5hcC6VRnkp09VYj0pGcXiHbWRod9OithDlQ0ZIvHSbY7B5xiJT1r8N+lcRdCcp; Expires=Sat, 23 Mar 2019 14:11:57 GMT; Path=/
server: Apache/2.4.37 (Amazon) OpenSSL/1.0.2k-fips
vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers
access-control-allow-origin: 
access-control-allow-credentials: true
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000 ; includeSubDomains
x-frame-options: DENY
set-cookie: JSESSIONID=70F12355ABFDD0F42292D9F6CEAA22BF; Path=/; Secure; HttpOnly
X-Firefox-Spdy: h2

1 个答案:

答案 0 :(得分:1)

我终于能够通过创建作为Spring Security的一部分运行的Filter来解决它。过滤器在SecurityContextPersistenceFilter之前执行,因此等到添加set-cookie头之后再更新头(在链中之前,在doFilter()执行后获得最后一个调用)。

过滤器实现

package com.zambezii.app.security.filter

import org.springframework.web.filter.GenericFilterBean
import java.io.IOException
import javax.servlet.FilterChain
import javax.servlet.ServletException
import javax.servlet.ServletRequest
import javax.servlet.ServletResponse
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse

class SessionFilter : GenericFilterBean() {

    @Throws(IOException::class, ServletException::class)
    override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
        val req = request as HttpServletRequest
        val res = response as HttpServletResponse
        chain.doFilter(req, res)

        removeHttpOnlyFlag(res)
    }

    private fun removeHttpOnlyFlag(res: HttpServletResponse) {
        val setCookieHeaderName = "set-cookie"
        var setCookieHeader = res.getHeader(setCookieHeaderName)

        if (setCookieHeader != null) {
            setCookieHeader = setCookieHeader.replace("; HttpOnly", "")
            res.setHeader(setCookieHeaderName, setCookieHeader)
        }
    }
}

安全配置

open class WebSecurityConfig() : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
            ...
            .authenticated()
            .and()
            .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter::class.java)
            .addFilterBefore(SessionFilter(), SecurityContextPersistenceFilter::class.java)
相关问题
最新问题