public class SameSiteCookieHeaderFilter extends Object implements javax.servlet.Filter
Filter which adds the SameSite attribute to cookies, until
the Java API supports it natively, if ever.
Explicitly named cookies are configured and placed into a Map of cookie name to same-site attribute value.
All other cookies may be assigned a default value.
Cookies with an existing same-site cookie flag are left unaltered - copied back into the response without modification.
A single cookie can only have at most one same-site value set. Attempts in the configuration to
give more than one same-site value to a cookie are caught during argument injection and throw an
IllegalArgumentException.
| Modifier and Type | Class and Description |
|---|---|
private class |
SameSiteCookieHeaderFilter.SameSiteResponseProxy
An implementation of the
HttpServletResponse which adds the same-site flag to Set-Cookie
headers for the set of configured cookies. |
static class |
SameSiteCookieHeaderFilter.SameSiteValue
The allowed same-site cookie attribute values.
|
| Modifier and Type | Field and Description |
|---|---|
private SameSiteCookieHeaderFilter.SameSiteValue |
defaultValue
Optional default value to apply.
|
private org.slf4j.Logger |
log
Class logger.
|
private static String |
SAMESITE_ATTRIBITE_NAME
The name of the same-site cookie attribute.
|
private Map<String,SameSiteCookieHeaderFilter.SameSiteValue> |
sameSiteCookies
Map of cookie name to same-site attribute value.
|
| Constructor and Description |
|---|
SameSiteCookieHeaderFilter()
Constructor.
|
| Modifier and Type | Method and Description |
|---|---|
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain) |
void |
init(javax.servlet.FilterConfig filterConfig) |
void |
setDefaultValue(SameSiteCookieHeaderFilter.SameSiteValue value)
Set an optional default value to apply to all unmapped cookies.
|
void |
setSameSiteCookies(Map<SameSiteCookieHeaderFilter.SameSiteValue,List<String>> map)
Set the names of cookies to add the same-site attribute to.
|
@Nonnull @NotEmpty private static final String SAMESITE_ATTRIBITE_NAME
@Nonnull private final org.slf4j.Logger log
@Nullable private SameSiteCookieHeaderFilter.SameSiteValue defaultValue
@Nonnull @NonnullElements private Map<String,SameSiteCookieHeaderFilter.SameSiteValue> sameSiteCookies
public void setDefaultValue(@Nullable SameSiteCookieHeaderFilter.SameSiteValue value)
value - default valuepublic void setSameSiteCookies(@Nullable@NonnullElements Map<SameSiteCookieHeaderFilter.SameSiteValue,List<String>> map)
The argument map is flattened to remove the nested collection. The argument map allows duplicate
cookie names to appear in order to detect configuration errors which would otherwise not be found during
argument injection e.g. trying to set a session identifier cookie as both SameSite=Strict and SameSite=None.
Instead, duplicates are detected here, throwing a terminating IllegalArgumentException if found.
map - the map of same-site attribute values to cookie names.public void init(@Nonnull javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init in interface javax.servlet.Filterjavax.servlet.ServletExceptionpublic void destroy()
destroy in interface javax.servlet.Filterpublic void doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
doFilter in interface javax.servlet.FilterIOExceptionjavax.servlet.ServletExceptionCopyright © 1999–2019 Shibboleth Consortium. All rights reserved.