问题描述
public void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(corsFilter(),SessionManagementFilter.class) //adds your custom CorsFilter
.authorizeRequests()
.antMatchers("/ping/get").permitAll()
.antMatchers("/user/updatePassword").permitAll()
.antMatchers("/user/resetPassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(successHandler())
.failureHandler(failureHandler())
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler())
.authenticationEntryPoint(authenticationEntryPoint())
.and()
.logout()
.logoutSuccessUrl("/login")
.invalidateHttpSession(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessHandler((httpServletRequest,httpServletResponse,authentication) -> {
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
})
.permitAll()
;
http.csrf().disable();
http.headers()
.addHeaderWriter(
new StaticHeadersWriter("Access-Control-Allow-Origin","http://localhost:4200")
);
http.headers()
.addHeaderWriter(
new StaticHeadersWriter("Access-Control-Allow-Credentials","true")
);
}
和 cors 过滤器,我为 samesite=none 定义了标题,如下所示
@Override
public void init(FilterConfig filterConfig) throws servletexception {
}
@Override
public void doFilter(ServletRequest servletRequest,ServletResponse servletResponse,FilterChain filterChain) throws IOException,servletexception {
HttpServletResponse res = (HttpServletResponse) servletResponse;
HttpServletRequest req= (HttpServletRequest) servletRequest;
res.setHeader("Access-Control-Allow-Origin",req.getHeader("origin"));
res.setHeader("Access-Control-Allow-Credentials","true");
res.setHeader("Access-Control-Allow-Methods","GET,POST,PUT,DELETE,OPTIONS");
res.setHeader("Access-Control-Max-Age","3600");
res.setHeader("Access-Control-Allow-Headers","access-control-allow-origin,content-type");
res.addHeader("Access-Control-Expose-Headers","xsrf-token");
res.setHeader("Set-Cookie","HttpOnly;Secure;SameSite=None");
if ("OPTIONS".equals(req.getmethod())) {
res.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(req,res);
}
}
@Override
public void destroy() {
}
}
但是每当我调用登录端点时,我只接收 httponly,secure 但 nnot samesite=none 和我的 JSESSIONID cookie。我如何使这项工作? 我已经从其他问题的答案中尝试了所有不同的过滤器,但没有一个起作用。 问题仅在 chrome 上。如果有任何解决方法也会有所帮助。最近 chrome 删除了可以禁用的 samesite 标志。需要解决这个问题才能为我的网站创建一个 webview。
解决方法
您可以在将 Spring Session 与 custom CookieSerializer
一起使用时设置 SameSite 属性。
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
serializer.setCookieName("JSESSIONID");
serializer.setSameSite("None");
serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
return serializer;
}