Add secure flag to JSESSIONID cookie in spring aut

2020-02-06 06:07发布

站内问答 / Java
670 4 6

I have a tomcat application server that is behind a nginx. SSL terminates on the nginx. The Spring web-mvc application that is deployed on the tomcat should set the secure flag on the JSESSIONID. It would be cool if spring has some automatic detection for this so I don't get bothered during development because I don't have SSL there.

Is there a way to tell spring to set the flag automatically?

I use JavaConfig to setup the application and use Maven to create a deployable war-file.

I have checked this already, but this looks somehow ugly and static: set 'secure' flag to JSESSION id cookie

4条回答
兄弟一词,经得起流年.
2楼-- · 2020-02-06 06:19

If you are using Spring Boot, there is a simple solution for it. Just set the following property in your application.properties:

server.servlet.session.cookie.secure=true

Source: Spring docs - Appendix A. Common application properties

If you have some environment with HTTPS and some without it, you will need to set it to false in profiles without HTTPS. Otherwise the Secure cookie is ignored.

查看更多
0人赞 添加讨论(0) 举报
混吃等死
3楼-- · 2020-02-06 06:23

in your application.yml just add

server:
  session:
    cookie:
      secure: true
查看更多
0人赞 添加讨论(0) 举报
手持菜刀,她持情操
4楼-- · 2020-02-06 06:35

When you use spring-session, e.g. to persist your session in reddis, this is indeed done automatically. The cookie is than created by org.springframework.session.web.http.CookieHttpSessionStrategy which in CookieHttpSessionStrategy#createSessionCookie checks if the request comes via HTTPS and sets secure accordingly:

sessionCookie.setSecure(request.isSecure());

If you do not use spring-session, you can configure secure cookies using a ServletContextInitializer. Use a application property, to set it to true/false depending on a profile.

@Bean
public ServletContextInitializer servletContextInitializer(@Value("${secure.cookie}") boolean secure) {
    return new ServletContextInitializer() {

        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
            servletContext.getSessionCookieConfig().setSecure(secure);
        }
    };
}

application.properties (used in dev when profile 'prod' is not active):

secure.cookie=false

application-prod.properties (only used when profile 'prod' is active, overwrites value in application.properties):

secure.cookie=false

start your application on the prod server with :

--spring.profiles.active=prod

Sounds like some effort, if you have not worked with profiles so far, but you will most likely need a profile for prod environment anyway, so its really worth it.

查看更多
0人赞 添加讨论(0) 举报
手持菜刀,她持情操
5楼-- · 2020-02-06 06:40

Add another option

You can use a ServletContextInitializer to set secure cookie and http only flag

@Bean
public ServletContextInitializer servletContextInitializer() {
    return new ServletContextInitializer() {
        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
            servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
            SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
            sessionCookieConfig.setHttpOnly(true);
            sessionCookieConfig.setSecure(true);
        }
    };
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)