Comments (9)
As quarkus-http is based on vert.x you can use the vert.x routing context to set same site cookies, or use Quarkus's same site config mechanism: http://quarkus.io/guides/http-reference#same-site-cookie
Basically it allows you to set the attribute based on a cookie name.
Thank you for the tip, however the relevant vertx extension doesn't handle cookies set by undertow properly, since ResponseWrapper#addCookie
is never called from Undertow.
Unfortunately, due to the above, Quarkus' same-site-cookie
configuration has no effect to undertow's JSESSIONID
session cookie.
After having a closer look into the two HttpServerResponse
implementations, maybe a headersEndHandler
would be more appropriate to intercept and handle the SameSite
attribute of all cookies, which I presume would cover cookies set by undertow as well.
Here is a sample POC implementation, I believe it would make sense to adapt Quarkus' same-site-cookie handling implementation accordingly
public class SameSiteCookieFilter implements Filter {
private boolean secureCookie;
private boolean sameSiteNone;
/**
* {@inheritDoc}
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
secureCookie = ConfigProvider.getConfig().getOptionalValue("http.cookie.secure", Boolean.class).orElse(true);
sameSiteNone = ConfigProvider.getConfig().getOptionalValue("http.cookie.samesite.none", Boolean.class).orElse(true);
}
/**
* {@inheritDoc}
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (sameSiteNone && secureCookie) {
RoutingContext routingContext = CDI.current().select(CurrentVertxRequest.class).get().getCurrent();
HttpServerResponse httpServerResponse = routingContext.response();
HttpServerRequest httpServerRequest = routingContext.request();
if (SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(httpServerRequest.getHeader(HttpHeaders.USER_AGENT))) {
CDI.current().select(CurrentVertxRequest.class).get().getCurrent().addHeadersEndHandler(v -> {
Map<String, ServerCookie> cookies = extractCookies(httpServerResponse.headers().getAll(HttpHeaders.SET_COOKIE));
if (cookies.size() > 0) {
httpServerResponse.headers().remove(HttpHeaders.SET_COOKIE);
cookies.values().stream().forEach(cookie -> {
cookie.setSameSite(CookieSameSite.NONE);
cookie.setSecure(true);
httpServerResponse.addCookie(cookie);
});
}
});
}
}
chain.doFilter(request, response);
}
private static Map<String, ServerCookie> extractCookies(List<String> cookieHeaders) {
if (cookieHeaders != null) {
List<io.netty.handler.codec.http.cookie.Cookie> nettyCookies = cookieHeaders.stream().map(ClientCookieDecoder.STRICT::decode).collect(Collectors.toList());
Map<String, ServerCookie> cookies = new HashMap<>(nettyCookies.size());
for (io.netty.handler.codec.http.cookie.Cookie cookie : nettyCookies) {
ServerCookie ourCookie = new CookieImpl(cookie);
ourCookie.setChanged(true);
cookies.put(ourCookie.getName(), ourCookie);
}
return cookies;
} else {
return new HashMap<>(4);
}
}
}
Is there any other way to intercept the response and alter the JSESSIONID
cookie?
from quarkus-http.
I have opened #97 which backports the upstream Undertow samesite support. Once it is in and released we can integrate it with the existing vert.x config.
from quarkus-http.
As quarkus-http is based on vert.x you can use the vert.x routing context to set same site cookies, or use Quarkus's same site config mechanism: http://quarkus.io/guides/http-reference#same-site-cookie
Basically it allows you to set the attribute based on a cookie name.
from quarkus-http.
Hi! We have the same problem with sameSite
cookie. I've prepared simple example:
application.yml
quarkus:
http:
same-site-cookie:
testCookie:
value: strict
TestController
package com.netcracker.cloud.bss.portal.web.api;
import com.netcracker.cloud.bss.portal.constant.UrlConstants;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
@Path("")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class TestController {
@GET
@Path("/test")
public Response getTest() {
NewCookie cookie = new NewCookie("testCookie", "value");
return Response.ok("Test").cookie(cookie).build();
}
}
As a result sameSite
Strict
doesn't appear
from quarkus-http.
Is there any known workaround for this? In my case, the application I am using needs to be loaded in a iframe from another site and can no longer track sessions in the iframe because of the browser's cookie policy.
from quarkus-http.
It looks like #97 was merged. What are the steps to be able to take advantage of it?
from quarkus-http.
Is there any known workaround for this? In my case, the application I am using needs to be loaded in a iframe from another site and can no longer track sessions in the iframe because of the browser's cookie policy.
@aelfric A workaround is to handle this in META-INF/undertow-handlers.conf
samesite-cookie(mode=None)
from quarkus-http.
Sorry just saw this update, but that undertow-handlers workaround doesn't seem to do it for me. I just bumped the quarkus version to 2.15.3 but still not able to get the cookies working as expected.
from quarkus-http.
Related Issues (12)
- tmpbuf not released after usage - might be a memory leak? HOT 1
- 451 Status Code HOT 2
- SNI Support in Quarkus's Undertow websocket HOT 4
- [Websocket] Url without port is not supported HOT 4
- WebSocket - No Pong for Ping
- Too Many Vert.x Instances? HOT 1
- Classes can't implement multiple Decoder/Encoder interfaces
- Encoders/Decoders are ignored
- Ability to set MAX_PARAMETERS in Undertow HOT 3
- `getUserPrincipal` is not implemented on VertxWebSocketHttpExchange HOT 1
- Websocket connection kept alive when Netty channel was closed by responding to pings HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from quarkus-http.