Module net.shibboleth.utilities.java.support
Package net.shibboleth.utilities.java.support.net

Class SameSiteCookieHeaderFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class SameSiteCookieHeaderFilter
extends Object
implements javax.servlet.Filter
    Implementation of an HTTP servlet Filter which adds the SameSite attribute to cookies, until the Java API supports it natively, if ever.

    Explicitly named cookies are configured and placed into a Map of cookie name to same-site attribute value.

    All other cookies may be assigned a default value.

    Cookies with an existing same-site cookie flag are left unaltered - copied back into the response without modification.

    A single cookie can only have at most one same-site value set. Attempts in the configuration to give more than one same-site value to a cookie are caught during argument injection and throw an IllegalArgumentException.

    • Constructor Detail

      • SameSiteCookieHeaderFilter

        public SameSiteCookieHeaderFilter()
        Constructor.

    • Method Detail

      • setActivationCondition

        public void setActivationCondition​(@Nonnull
                                   Predicate<javax.servlet.ServletRequest> condition)
        Set a condition on execution of the filter.

        This is typically for conditional User-Agent detection to deal with the Apple bug.

        Parameters:
        condition - condition to set

      • setDefaultValue

        public void setDefaultValue​(@Nullable
                            SameSiteCookieHeaderFilter.SameSiteValue value)
        Set an optional default value to apply to all unmapped cookies.
        Parameters:
        value - default value

      • setSameSiteCookies

        public void setSameSiteCookies​(@Nullable @NonnullElements
                               Map<SameSiteCookieHeaderFilter.SameSiteValue,​List<String>> map)
        Set the names of cookies to add the same-site attribute to.

        The argument map is flattened to remove the nested collection. The argument map allows duplicate cookie names to appear in order to detect configuration errors which would otherwise not be found during argument injection e.g. trying to set a session identifier cookie as both SameSite=Strict and SameSite=None. Instead, duplicates are detected here, throwing a terminating IllegalArgumentException if found.

        Parameters:
        map - the map of same-site attribute values to cookie names.

      • init

        public void init​(@Nonnull
                 javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException