In addition to the new SameSite Servlet Filter described here, a DynamicResponseHeaderFilter callback function has also been implemented (SameSiteCookieHeaderCallbackFunction). The implementation can be found on my personal repository [git@git.shibboleth.net:philsmart/java-support] feature branch [feature/same-site-filter] - alongside the existing Filter implementation.
The function can be configured in global-system.xml, by defining both the function bean, and adding it to a new list of response header call backs.
<bean id="shibboleth.SameSiteCookieHeaderCallbackFunction" class="net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderCallbackFunction"> <property name="sameSiteCookies"> <map> <entry key="None" value="JSESSIONID,shib_idp_session, %{idp.storage.clientSessionStorageName:shib_idp_session_ss}, %{idp.storage.clientPersistentStorageName:shib_idp_persistent_ss}"/> </map> </property> </bean> <util:list id="shibboleth.ResponseHeaderCallbacks"> <ref bean="shibboleth.SameSiteCookieHeaderCallbackFunction"/> </util:list> |
For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.
<filter-mapping> <filter-name>DynamicResponseHeaderFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> <url-pattern>/Authn/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Logout</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> <url-pattern>/profile/SAML2/POST/SLO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> <url-pattern>/profile/cas/login</url-pattern> </filter-mapping> |
It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all calls to the IdP) - mostly missing SLO endpoints. |