Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.

Info
titleImportant

It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all requests to the IdP) - mostly missing SLO endpoints. 

Code Block
languagexml
titleWeb.xml
 <filter-mapping>
        <filter-name>DynamicResponseHeaderFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
        <url-pattern>/Authn/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CookieBufferingFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Logout</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
    </filter-mapping>  
Info
titleImportant
It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all requests to the IdP) - mostly missing SLO endpoints.