Set "SameSite=None" attribute on cookies to allow CORS requests

Addresses RM-34203
axelor · Feb 8, 2021 · 5e896b7 · 5e896b7
1 parent b47f48c
commit 5e896b7
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 32 deletions.
diff --git a/axelor-core/src/main/java/com/axelor/auth/AuthFilter.java b/axelor-core/src/main/java/com/axelor/auth/AuthFilter.java
@@ -24,7 +24,6 @@
 import com.axelor.events.LoginRedirectException;
 import com.axelor.events.PostLogin;
 import com.axelor.events.PreLogin;
-import com.axelor.inject.Beans;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import java.io.UncheckedIOException;
@@ -55,8 +54,6 @@ public class AuthFilter extends FormAuthenticationFilter {
   @Inject private Event<PreLogin> preLogin;
   @Inject private Event<PostLogin> postLogin;
 
-  private static final String SESSION_COOKIE_NAME = "JSESSIONID";
-
   @Override
   protected boolean executeLogin(ServletRequest request, ServletResponse response)
       throws Exception {
@@ -110,7 +107,7 @@ protected boolean isLoginRequest(ServletRequest request, ServletResponse respons
   public void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)
       throws ServletException, IOException {
 
-    setSessionSameSiteNone((HttpServletRequest) request, (HttpServletResponse) response);
+    setSameSiteNone((HttpServletRequest) request, (HttpServletResponse) response);
 
     // tomcat 7.0.67 doesn't redirect with / if root request is sent without slash
     // see RM-4500 for more details
@@ -165,45 +162,40 @@ protected boolean onLoginSuccess(
     return super.onLoginSuccess(token, subject, request, response);
   }
 
-  public static void changeSessionId() {
-    final HttpServletRequest request = Beans.get(HttpServletRequest.class);
-    request.changeSessionId();
-    if (request.isSecure()) {
-      setSessionSameSiteNone(Beans.get(HttpServletResponse.class));
-    }
-  }
-
   private static void changeSessionId(HttpServletRequest request, HttpServletResponse response) {
     request.changeSessionId();
-    setSessionSameSiteNone(request, response);
+    setSameSiteNone(request, response);
   }
 
-  public static void setSessionSameSiteNone(
-      HttpServletRequest request, HttpServletResponse response) {
-    if (request.isSecure()) {
-      setSessionSameSiteNone(response);
+  public static void setSameSiteNone(HttpServletRequest request, HttpServletResponse response) {
+    if (!request.isSecure() && !"https".equalsIgnoreCase(getProto(request))) {
+      return;
     }
-  }
 
-  private static void setSessionSameSiteNone(HttpServletResponse response) {
     final Subject subject = SecurityUtils.getSubject();
     subject.getSession();
 
     final Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
     final Iterator<String> it = headers.iterator();
     if (it.hasNext()) {
-      addCookieHeader(it.next(), response::setHeader);
+      addSameSiteCookieHeader(response::setHeader, it.next());
       while (it.hasNext()) {
-        addCookieHeader(it.next(), response::addHeader);
+        addSameSiteCookieHeader(response::addHeader, it.next());
       }
     }
   }
 
-  private static void addCookieHeader(String header, BiConsumer<String, String> headerAdder) {
-    if (header.startsWith(SESSION_COOKIE_NAME)) {
-      header = String.format("%s; %s", header, "SameSite=None");
+  private static String getProto(HttpServletRequest request) {
+    final String proto = request.getHeader("X-Forwarded-Proto");
+    return StringUtils.isBlank(proto) ? request.getScheme() : proto;
+  }
+
+  private static void addSameSiteCookieHeader(BiConsumer<String, String> adder, String header) {
+    String extraAttrs = "; SameSite=None";
+    if (header.indexOf("; Secure") < 0) {
+      extraAttrs += "; Secure";
     }
-    headerAdder.accept(HttpHeaders.SET_COOKIE, header);
+    adder.accept(HttpHeaders.SET_COOKIE, header + extraAttrs);
   }
 
   @Override

diff --git a/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jListener.java b/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jListener.java
@@ -23,8 +23,11 @@
 import com.axelor.event.Event;
 import com.axelor.event.NamedLiteral;
 import com.axelor.events.PostLogin;
+import com.axelor.inject.Beans;
 import java.lang.invoke.MethodHandles;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationListener;
@@ -47,7 +50,10 @@ public void onSuccess(AuthenticationToken token, AuthenticationInfo info) {
       final User user = ((UserAuthenticationInfo) info).getUser();
 
       if (user != null) {
-        AuthFilter.changeSessionId();
+        final HttpServletRequest request = Beans.get(HttpServletRequest.class);
+        final HttpServletResponse response = Beans.get(HttpServletResponse.class);
+        request.changeSessionId();
+        AuthFilter.setSameSiteNone(request, response);
         firePostLoginSuccess(token, user);
         return;
       }

diff --git a/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jModule.java b/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jModule.java
@@ -291,7 +291,7 @@ public Object perform(
                 Boolean inputDestroySession,
                 Boolean inputCentralLogout) {
 
-              AuthFilter.setSessionSameSiteNone(context.getRequest(), context.getResponse());
+              AuthFilter.setSameSiteNone(context.getRequest(), context.getResponse());
 
               // Destroy web session.
               return super.perform(
@@ -337,7 +337,7 @@ public Object perform(
                 Boolean inputRenewSession,
                 String client) {
 
-              AuthFilter.setSessionSameSiteNone(context.getRequest(), context.getResponse());
+              AuthFilter.setSameSiteNone(context.getRequest(), context.getResponse());
 
               try {
                 context.getRequest().setCharacterEncoding("UTF-8");
@@ -423,7 +423,7 @@ public Object perform(
                 Boolean inputMultiProfile,
                 Object... parameters) {
 
-              AuthFilter.setSessionSameSiteNone(context.getRequest(), context.getResponse());
+              AuthFilter.setSameSiteNone(context.getRequest(), context.getResponse());
 
               return super.perform(
                   context,

diff --git a/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jModuleForm.java b/axelor-core/src/main/java/com/axelor/auth/pac4j/AuthPac4jModuleForm.java
@@ -250,8 +250,7 @@ public static class FormFilter extends AnonymousFilter {
     @Override
     protected boolean onPreHandle(
         ServletRequest request, ServletResponse response, Object mappedValue) {
-      AuthFilter.setSessionSameSiteNone(
-          (HttpServletRequest) request, (HttpServletResponse) response);
+      AuthFilter.setSameSiteNone((HttpServletRequest) request, (HttpServletResponse) response);
       return super.onPreHandle(request, response, mappedValue);
     }
   }

diff --git a/changelogs/unreleased/fix-same-site-none-secure-cookie.yml b/changelogs/unreleased/fix-same-site-none-secure-cookie.yml
@@ -1,2 +1,2 @@
-title: Set "SameSite=None" attribute to session cookie to allow CORS requests
+title: Set "SameSite=None" attribute on cookies to allow CORS requests
 type: fix