Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



In addition to the new SameSite Servlet Filter described here, a DynamicResponseHeaderFilter callback function has also been implemented (SameSiteCookieHeaderCallbackFunction). The implementation can be found on my personal repository [git@git.shibboleth.net:philsmart/java-support] feature branch [feature/same-site-filter] - alongside the existing Filter implementation.


Configuration


The function can be configured in global-system.xml, by defining both the function bean, and adding it to a new list of response header call backs.

Code Block
languagexml
titleglobal-system.xml
linenumberstrue
 <bean id="shibboleth.SameSiteCookieHeaderCallbackFunction"
     	class="net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderCallbackFunction">
    	<property name="sameSiteCookies">
    		<map>
    		<entry key="None" value="JSESSIONID,shib_idp_session,
    			%{idp.storage.clientSessionStorageName:shib_idp_session_ss},
    			%{idp.storage.clientPersistentStorageName:shib_idp_persistent_ss}"/> 
    		</map>
    	</property>     
    </bean>
    
    <util:list id="shibboleth.ResponseHeaderCallbacks">
    	<ref bean="shibboleth.SameSiteCookieHeaderCallbackFunction"/>
    </util:list>


For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.

Code Block
 <filter-mapping>
        <filter-name>DynamicResponseHeaderFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
        <url-pattern>/Authn/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CookieBufferingFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Logout</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
    </filter-mapping>
Info
titleImportant

It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all calls to the IdP) - mostly missing SLO endpoints.