spring security未发送带有JSSessionID的samesite=none

kqlmhetl 于 2021-10-10 发布在 Java

关注(0)|答案(1)|浏览(459)

以下是我的Web安全配置的描述：

public void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(corsFilter(), SessionManagementFilter.class) //adds your custom CorsFilter
                .authorizeRequests()
                .antMatchers("/ping/get").permitAll()
                .antMatchers("/user/updatePassword").permitAll()
                .antMatchers("/user/resetPassword").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .successHandler(successHandler())
                .failureHandler(failureHandler())
                .and()
                .exceptionHandling()
                .accessDeniedHandler(accessDeniedHandler())
                .authenticationEntryPoint(authenticationEntryPoint())
                .and()
                .logout()
                .logoutSuccessUrl("/login")
                .invalidateHttpSession(true)
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> {
                    httpServletResponse.setStatus(HttpServletResponse.SC_OK);
                })
                .permitAll()

        ;
        http.csrf().disable();
        http.headers()
                .addHeaderWriter(
                        new StaticHeadersWriter("Access-Control-Allow-Origin", "http://localhost:4200")
                );
        http.headers()
                .addHeaderWriter(
                        new StaticHeadersWriter("Access-Control-Allow-Credentials", "true")
                        );
    }

我已经为samesite=none定义了cors过滤器的头，如下所示

@Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse) servletResponse;
        HttpServletRequest req= (HttpServletRequest) servletRequest;

        res.setHeader("Access-Control-Allow-Origin", req.getHeader("origin"));
        res.setHeader("Access-Control-Allow-Credentials", "true");
        res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "access-control-allow-origin,content-type");
        res.addHeader("Access-Control-Expose-Headers", "xsrf-token");
        res.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
        if ("OPTIONS".equals(req.getMethod())) {
            res.setStatus(HttpServletResponse.SC_OK);
        } else {
            filterChain.doFilter(req, res);
        }
    }

    @Override
    public void destroy() {

    }
}

但是，每当我调用登录端点时，我只会收到httponly，secure，but not samesite=none和我的jsessionid cookkie。我该怎么做？我尝试了所有不同的过滤，从其他问题的答案，但没有一个工作。问题只在chrome上。如果有任何解决办法也会很有帮助。最近，chrome删除了可以禁用的samesite标志。需要解决这个问题才能为我的网站创建webview。

spring-security jsessionid samesite

来源：https://stackoverflow.com/questions/67822008/spring-security-not-sending-samesite-none-with-jsessionid

1条答案

按热度按时间

2exbekwf1#

在将spring会话与自定义会话一起使用时，可以设置samesite属性 CookieSerializer .

@Bean
public CookieSerializer cookieSerializer() {
    DefaultCookieSerializer serializer = new DefaultCookieSerializer();
    serializer.setCookieName("JSESSIONID");
    serializer.setSameSite("None");
    serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
    return serializer;
}

赞(0）回复(0）举报 2021-10-10

我来回答

spring security未发送带有JSSessionID的samesite=none

1条答案

相关问题

热门标签

最新问答