This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 7d95c46 Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies. 7d95c46 is described below commit 7d95c46b8345c020f8723dfd476d3b193633af86 Author: Jacques Le Roux <[hidden email]> AuthorDate: Fri Mar 20 17:50:17 2020 +0100 Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies. (OFBIZ-11470) Forgot to add UtilHttp::SameSiteFilter --- .../ofbiz/webapp/control/SameSiteFilter.java | 61 ++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java new file mode 100644 index 0000000..bc96fec --- /dev/null +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java @@ -0,0 +1,61 @@ +/******************************************************************************* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + *******************************************************************************/ +package org.apache.ofbiz.webapp.control; +import java.io.IOException; +import java.util.Collection; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.HttpHeaders; + + +public class SameSiteFilter implements javax.servlet.Filter { + @Override + public void init(FilterConfig filterConfig) throws ServletException { + + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + chain.doFilter(request, response); + addSameSiteCookieAttribute((HttpServletResponse) response); // add SameSite=strict cookie attribute + } + + public static void addSameSiteCookieAttribute(HttpServletResponse response) { + Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE); + boolean firstHeader = true; + for (String header : headers) { // there can be multiple Set-Cookie attributes + if (firstHeader) { + response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict")); + firstHeader = false; + continue; + } + response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict")); + } + } + + @Override + public void destroy() { + + } +} \ No newline at end of file |
Free forum by Nabble | Edit this page |