Class SameSiteCookieHeaderFilter

java.lang.Object
net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderFilter
All Implemented Interfaces:
javax.servlet.Filter

public class SameSiteCookieHeaderFilter
extends Object
implements javax.servlet.Filter
Implementation of an HTTP servlet Filter which adds the SameSite attribute to cookies, until the Java API supports it natively, if ever.

Explicitly named cookies are configured and placed into a Map of cookie name to same-site attribute value.

All other cookies may be assigned a default value.

Cookies with an existing same-site cookie flag are left unaltered - copied back into the response without modification.

A single cookie can only have at most one same-site value set. Attempts in the configuration to give more than one same-site value to a cookie are caught during argument injection and throw an IllegalArgumentException.

  • Field Details

  • Constructor Details

    • SameSiteCookieHeaderFilter

      public SameSiteCookieHeaderFilter()
      Constructor.
  • Method Details

    • setActivationCondition

      public void setActivationCondition​(@Nonnull Predicate<javax.servlet.ServletRequest> condition)
      Set a condition on execution of the filter.

      This is typically for conditional User-Agent detection to deal with the Apple bug.

      Parameters:
      condition - condition to set
    • setDefaultValue

      public void setDefaultValue​(@Nullable SameSiteCookieHeaderFilter.SameSiteValue value)
      Set an optional default value to apply to all unmapped cookies.
      Parameters:
      value - default value
    • setSameSiteCookies

      public void setSameSiteCookies​(@Nullable @NonnullElements Map<SameSiteCookieHeaderFilter.SameSiteValue,​List<String>> map)
      Set the names of cookies to add the same-site attribute to.

      The argument map is flattened to remove the nested collection. The argument map allows duplicate cookie names to appear in order to detect configuration errors which would otherwise not be found during argument injection e.g. trying to set a session identifier cookie as both SameSite=Strict and SameSite=None. Instead, duplicates are detected here, throwing a terminating IllegalArgumentException if found.

      Parameters:
      map - the map of same-site attribute values to cookie names.
    • init

      public void init​(@Nonnull javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Throws:
      javax.servlet.ServletException
    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter
    • doFilter

      public void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException