Skip to content

Commit

Permalink
feature: allow setting SameSite on X-Uaa-Csrf cookie (#2439)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikeroda
mikeroda authored Sep 19, 2023
1 parent 13d346f commit 9214a31
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
9 changes: 9 additions & 0 deletions .../main/java/org/cloudfoundry/identity/uaa/security/web/CookieBasedCsrfTokenRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
package org.cloudfoundry.identity.uaa.security.web;

import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.apache.tomcat.util.http.SameSiteCookies;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
Expand Down Expand Up @@ -55,6 +56,14 @@ public void setCookieMaxAge(int cookieMaxAge) {
this.cookieMaxAge = cookieMaxAge;
}

public SameSiteCookies getSameSiteCookies() {
return rfc6265CookieProcessor.getSameSiteCookies();
}

public void setSameSiteCookies(String sameSiteCookies) {
rfc6265CookieProcessor.setSameSiteCookies(sameSiteCookies);
}

public String getHeaderName() {
return headerName;
}
Expand Down
12 changes: 12 additions & 0 deletions .../src/test/java/org/cloudfoundry/identity/uaa/web/CookieBasedCsrfTokenRepositoryTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,18 @@ void saveToken_sameSiteIsLax() {
assertThat(response.getHeader("Set-Cookie"), containsString("SameSite=Lax"));
}

@Test
void saveToken_sameSiteIsNone() {
CookieBasedCsrfTokenRepository repo = new CookieBasedCsrfTokenRepository();
repo.setSameSiteCookies("None");
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
CsrfToken token = repo.generateToken(null);
repo.saveToken(token, request, response);

assertThat(response.getHeader("Set-Cookie"), containsString("SameSite=None"));
}

@Test
void saveToken_alwaysHttpOnly() {
Cookie cookie = saveTokenAndReturnCookie(false, "http");
Expand Down

0 comments on commit 9214a31

Please sign in to comment.