Configuring SameSite on a per-cookie basis in Jetty 12 #9173
Comments
|
Will Spring Boot be using the low level handling in Jetty Core exclusively? or via Servlet from one of the ee levels? |
|
Thanks for taking a look, @joakime. The latter – we're embedding Jetty as a Servlet 6-compatible server so we're using the |
|
Then don't try to do this with It "should" work like this (haven't tried this personally) ...
Something like this ... context = new ServletContextHandler() {
@Override
protected ServletContextRequest wrapRequest(Request request, Response response)
{
ServletContextRequest jettyRequest = super.wrapRequest(request, response);
return new SpringServletContextRequest(jettyRequest);
}
}; |
|
Thanks again, @joakime. Unfortunately, I think I've fallen at the second hurdle as I'm not sure how to wrap a |
|
Can you wait until 12.0.0.beta0 release to continue this effort? |
|
@wilkinsona can you take a look at the following and see if this is what you had in mind? |
Yes, of course.
That's exactly the sort of thing that I had in mind. Thank you. I'll look forward to beta0. |
* Issue #9173 - Make wrapping of ServletApiResponse easier * Fixing checkstyle and missing licenses * Improved HttpCookie with javadoc and attribute handling
|
@sbordet @lachlan-roberts We've made Note also that wrapping servlet API requests/responses in ee10 is currently difficult to do as the the servlet API wrappers are created by the So I think we need to have a think about how we can wrap easily in ee10 environment. This also relates to #9297 |
|
@wilkinsona Where are you with this issue at the moment? I'd like to make some significant changes to wrapping in ee10... probably between beta1 and beta2, so it would be good to know what you are currently doing and make sure we keep a good solution for you. |
|
Thanks for asking, @gregw. I parked my efforts in January after the discussion with @joakime. I haven't picked things up again, partly due to other priorities and partly due to waiting for the outcome of this issue. What's the current rough timeline for Jetty 12? Spring Boot 3.1's RC is later this month (20 April) with GA the following month (18 May). Given the feature freeze that RC will bring, it's looking like support for Jetty 12 may become a Spring Boot 3.2 feature. That would push it back to November 2023 and hopefully give us plenty of time to thrash out the details. |
|
We'd very much like to get support in for the RC. But the 20th is tough for us. |
|
I'm picking this up again (sorry for delay), so we don't miss November! I think I'd like to think of this in general terms. Specifically it is difficult in Jetty-12 to intercept any response header, Cookies included. Currently the solution is to:
That's a lot of wrapping and the result is multiple places that new headers need to be intercepted. Option A void addHttpFieldProcessor(Function<HttpField, HttpField> processor);This could then be used in a Handler as follows @Override
public boolean handle(Request request, Response response, Callback callback) throws Exception
{
response.addHttpFieldProcessor(field ->
{
if (field.getHeader() != HttpHeader.SET_COOKIE)
return field;
return new HttpField(HttpHeader.SET_COOKIE,
field.getValue().replaceFirst("SameSite=[A-Za-z]+;", "SameSite=" + sameSiteFor(request) + ";"));
});
// ...
}The downside of this approach is that the Option B This will be simple to wrap/override, but the downside is that it will not intercept any cookies added by directly calling |
|
Thanks for picking this up again, @gregw. I'm not sure I know enough about Jetty at this level to have an informed opinion, but please don't hesitate to ask if there's something that you'd like me to try with Spring Boot to see if it meets our needs. |
|
@gregw while I think the approach of a void onResponseBegin(Response response)
{
response.getHeaders().computeField(HttpHeader.SET_COOKIE, (header, fields) ->
{
...
});
}Admittedly, it may require a bit of string parsing and/or concatenation, but it is a rare case to require this feature. This approach would make things much simpler, avoid the overhead in the API (not need for the Thoughts? |
|
@sbordet i think that works. It's no less efficient than the HttpFields approach if we keep the changes i make in the PR to cache the cookie in a field type |
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Jetty 12.0.0.beta2
|
Thanks very much for the changes here. I now have a branch where Spring Boot's SameSite cookie support works with Jetty 12.0.0.beta2. |
Jetty version
12.0.0.alpha3
Java version
17
Question
We'd like to support Jetty 12 in Spring Boot 3.1 and I am investigating the changes that we'll need to make. It's going pretty well but I've hit a problem with cookies and
SameSite.Spring Boot allows users to implement a strategy interface that can supply a cookie's
SameSitevalue on a per-cookie basis. With Jetty 11 and earlier, we've implemented this functionality using aHandlerWrappersub-class. Can you please give me some pointers on how this can be achieved usingHandler.Wrapperin Jetty 12? Thus far, I have been unable to figure out how to intercept the addition of a cookie with the new API.The text was updated successfully, but these errors were encountered: