June 5, 2019

How to enable SameSite for WildFly and JBoss EAP

Background

A good cookie header should look like:


Set-Cookie: a=b; HttpOnly; secure; SameSite=strict

(HttpOnly = No JavaScript; secure = SSL only; SameSite = no cross-origin cookie sharing)

https://www.owasp.org/index.php/SameSite

Java Servlet 4.0 (Java EE 8)

The sad thing about SameSite is that is not supported in Servlet 4.0.

Java(TM) EE 8 Specification APIs: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/http/Cookie

Wildfly 16

Since Wildfly is built in java, the Wildfly server does not support SameSite.

9.7.3. Servlet container configuration
Session Cookie Configuration
https://docs.wildfly.org/16/Admin_Guide.html#Undertow

JSR 369: JavaTM Servlet 4.0 Specification
https://jcp.org/en/jsr/detail?id=369

JSR 366: Java Platform, Enterprise Edition 8 (Java EE 8) Specification
https://jcp.org/en/jsr/detail?id=366

Example


<servlet-container name="default">
    <session-cookie http-only="true" secure="true"/>
    <jsp-config/>
</servlet-container>

Solution

Best solution I have found is to build a custom Filter, which add SameSite=strict.

https://stackoverflow.com/questions/49697449/how-to-enable-samesite-for-jsessionid-cookie

No comments: