Date: Fri, 29 Mar 2024 12:53:11 +0000 (UTC) Message-ID: <1607329862.3.1711716791947@84f2924a2857> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2_1221402888.1711716791947" ------=_Part_2_1221402888.1711716791947 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
In addition to the new SameSite Servlet Filter described here, a DynamicResponseHeaderFilter callback = function has also been implemented (SameSiteCookieHeaderCallbackFunction).&= nbsp;The implementation can be foun= d on my personal repository [git@git.s= hibboleth.net:philsmart/java-= support] feature branch [feature/same-site-filter] - alongside the existing= Filter implementation. The callback function works in the same way as the = filter, but requires less changes to the IdP to deploy.
The function can be configured= in global-system.xml, by defining the SameSiteCookieHeaderCallbackFunction= bean, and adding it too a new list of response header call backs.= p>
<bean= id=3D"shibboleth.SameSiteCookieHeaderCallbackFunction" =09class=3D"net.shibboleth.utilities.java.support.net.SameSiteCookieHe= aderCallbackFunction"> =09<property name=3D"sameSiteCookies"> =09=09<map> =09=09<entry key=3D"None" value=3D"JSESSIONID,shib_idp_session, =09=09=09%{idp.storage.clientSessionStorageName:shib_idp_session_ss}, =09=09=09%{idp.storage.clientPersistentStorageName:shib_idp_persistent_= ss}"/>=20 =09=09</map> =09</property> =20 </bean> =20 <util:list id=3D"shibboleth.ResponseHeaderCallbacks"> =09<ref bean=3D"shibboleth.SameSiteCookieHeaderCallbackFunction"/>= ; </util:list>
For this to work with application level beans set by = the IdP, the DynamicResponseHeaderFilter must be ordered above the Coo= kieBufferingFilter in the web.xml e.g.
Important
It is important to note here, the DynamicResponseHeader filter is interc= epting fewer URLs than the current implementation of the SameSite Servlet F= ilter (which is intercepting all requests to the IdP) - mostly missing SLO = endpoints.
<fil= ter-mapping> <filter-name>DynamicResponseHeaderFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern&g= t; <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-patte= rn> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> <url-pattern>/Authn/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Logout</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern&g= t; <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-patte= rn> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> <url-pattern>/profile/SAML2/POST/SLO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-patte= rn> <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> </filter-mapping>