In addition to the new SameSite Servlet Filter described here, a DynamicResponseHeaderFilter callback function has also been implemented (SameSiteCookieHeaderCallbackFunction). The implementation can be found on my personal repository [git@git.shibboleth.net:philsmart/java-support] feature branch [feature/same-site-filter] - alongside the existing Filter implementation.
Configuration
The function can be configured in global-system.xml, by defining both the function bean, and adding it to a new list of response header call backs.
Code Block |
---|
language | xml |
---|
title | global-system.xml |
---|
linenumbers | true |
---|
|
<bean id="shibboleth.SameSiteCookieHeaderCallbackFunction"
class="net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderCallbackFunction">
<property name="sameSiteCookies">
<map>
<entry key="None" value="JSESSIONID,shib_idp_session,
%{idp.storage.clientSessionStorageName:shib_idp_session_ss},
%{idp.storage.clientPersistentStorageName:shib_idp_persistent_ss}"/>
</map>
</property>
</bean>
<util:list id="shibboleth.ResponseHeaderCallbacks">
<ref bean="shibboleth.SameSiteCookieHeaderCallbackFunction"/>
</util:list> |
For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.
Code Block |
---|
<filter-mapping>
<filter-name>DynamicResponseHeaderFilter</filter-name>
<url-pattern>/profile/admin/*</url-pattern>
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
<url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
<url-pattern>/Authn/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CookieBufferingFilter</filter-name>
<url-pattern>/profile/admin/*</url-pattern>
<url-pattern>/profile/Logout</url-pattern>
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
<url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
<url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping> |
Info |
---|
|
It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all calls to the IdP) - mostly missing SLO endpoints. |