...
The function can be configured in global-system.xml, by defining both the function SameSiteCookieHeaderCallbackFunction bean, and adding it to too a new list of response header call backs.
...
For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.
Info | ||
---|---|---|
| ||
It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all requests to the IdP) - mostly missing SLO endpoints. |
Code Block | ||||
---|---|---|---|---|
| ||||
<filter-mapping> <filter-name>DynamicResponseHeaderFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> <url-pattern>/Authn/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Logout</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> <url-pattern>/profile/SAML2/POST/SLO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> </filter-mapping> | ||||
Info | ||||
| ||||
It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all calls to the IdP) - mostly missing SLO endpoints. |