View Source

In addition to the new SameSite Servlet Filter described here, a DynamicResponseHeaderFilter callback function has also been implemented (SameSiteCookieHeaderCallbackFunction). The implementation can be found on my personal repository [git@git.shibboleth.net:philsmart/java-support] feature branch [feature/same-site-filter] - alongside the existing Filter implementation.

Configuration

The function can be configured in global-system.xml, by defining both the function bean, and adding it to a new list of response header call backs.

 <bean id="shibboleth.SameSiteCookieHeaderCallbackFunction"
     	class="net.shibboleth.utilities.java.support.net.SameSiteCookieHeaderCallbackFunction">
    	<property name="sameSiteCookies">
    		<map>
    		<entry key="None" value="JSESSIONID,shib_idp_session,
    			%{idp.storage.clientSessionStorageName:shib_idp_session_ss},
    			%{idp.storage.clientPersistentStorageName:shib_idp_persistent_ss}"/> 
    		</map>
    	</property>     
    </bean>
    
    <util:list id="shibboleth.ResponseHeaderCallbacks">
    	<ref bean="shibboleth.SameSiteCookieHeaderCallbackFunction"/>
    </util:list>

For this to work with application level beans set by the IdP, the DynamicResponseHeaderFilter must be ordered above the CookieBufferingFilter in the web.xml e.g.

 <filter-mapping>
        <filter-name>DynamicResponseHeaderFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
        <url-pattern>/Authn/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CookieBufferingFilter</filter-name>
        <url-pattern>/profile/admin/*</url-pattern>
        <url-pattern>/profile/Logout</url-pattern>
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
        <url-pattern>/profile/cas/login</url-pattern>
    </filter-mapping>

It is important to note here, the DynamicResponseHeader filter is intercepting fewer URLs than the current implementation of the SameSite Servlet Filter (which is intercepting all calls to the IdP) - mostly missing SLO endpoints.