时间戳

首页 > 解决方案 > Spring Security 不发送带有 JSESSIONID 的 samesite=none

spring-security - Spring Security 不发送带有 JSESSIONID 的 samesite=none

问题描述

这就是我的 websecurityconfig 的描述方式:

public void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(corsFilter(), SessionManagementFilter.class) //adds your custom CorsFilter
                .authorizeRequests()
                .antMatchers("/ping/get").permitAll()
                .antMatchers("/user/updatePassword").permitAll()
                .antMatchers("/user/resetPassword").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .successHandler(successHandler())
                .failureHandler(failureHandler())
                .and()
                .exceptionHandling()
                .accessDeniedHandler(accessDeniedHandler())
                .authenticationEntryPoint(authenticationEntryPoint())
                .and()
                .logout()
                .logoutSuccessUrl("/login")
                .invalidateHttpSession(true)
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> {
                    httpServletResponse.setStatus(HttpServletResponse.SC_OK);
                })
                .permitAll()

        ;
        http.csrf().disable();
        http.headers()
                .addHeaderWriter(
                        new StaticHeadersWriter("Access-Control-Allow-Origin", "http://localhost:4200")
                );
        http.headers()
                .addHeaderWriter(
                        new StaticHeadersWriter("Access-Control-Allow-Credentials", "true")
                        );
    }

和 cors 过滤器我已经为 samesite=none 定义了标题如下


    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse) servletResponse;
        HttpServletRequest req= (HttpServletRequest) servletRequest;

        res.setHeader("Access-Control-Allow-Origin", req.getHeader("origin"));
        res.setHeader("Access-Control-Allow-Credentials", "true");
        res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "access-control-allow-origin,content-type");
        res.addHeader("Access-Control-Expose-Headers", "xsrf-token");
        res.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
        if ("OPTIONS".equals(req.getMethod())) {
            res.setStatus(HttpServletResponse.SC_OK);
        } else {
            filterChain.doFilter(req, res);
        }
    }

    @Override
    public void destroy() {

    }
}

但是,每当我调用登录端点时,我只会收到 httponly,secure 但 nnot samesite=none 和我的 JSESSIONID cookie。我如何使这项工作?我已经从其他问题的答案中尝试了所有不同的过滤器,但它们都不起作用。问题仅在 chrome 上。如果也有任何解决方法,那将很有帮助。最近 chrome 删除了可以禁用的 samesite 标志。需要解决这个问题才能为我的网站创建 web 视图。

标签: spring-securityjsessionidsamesite

解决方案

当使用带有自定义的Spring Session时,您可以设置 SameSite 属性。CookieSerializer

@Bean
public CookieSerializer cookieSerializer() {
    DefaultCookieSerializer serializer = new DefaultCookieSerializer();
    serializer.setCookieName("JSESSIONID");
    serializer.setSameSite("None");
    serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
    return serializer;
}

推荐阅读