root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Also call setHttpOnly property on Tomcat context 

Update `ServerProperties` to also call `setHttpOnly` on the
`TomcatContext`. It appears that this is required in addition to
using the `ServletContextInitializer` to setup `SessionCookieConfig`.

Closes gh-12580
This commit is contained in:
Phillip Webb 2018-05-30 12:02:46 -07:00
parent b03f890567
commit 4d84933ee4
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
View File

@ -864,6 +864,17 @@ public class ServerProperties
.getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) {
customizeErrorReportValve(factory);
}
Cookie cookie = serverProperties.getSession().getCookie();
if (cookie.getHttpOnly() != null) {
factory.addContextCustomizers(new TomcatContextCustomizer() {
@Override
public void customize(Context context) {
context.setUseHttpOnly(cookie.getHttpOnly());
}
});
}
}
private void customizeErrorReportValve(

14
spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
View File

@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode;
import org.apache.catalina.Context;
import org.apache.catalina.Valve;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.valves.AccessLogValve;
import org.apache.catalina.valves.ErrorReportValve;
import org.apache.catalina.valves.RemoteIpValve;
@ -734,6 +736,18 @@ public class ServerPropertiesTests {
"spring-boot-*.jar");
}
@Test
public void customTomcatHttpOnlyCookie() throws Exception {
this.properties.getSession().getCookie().setHttpOnly(false);
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
this.properties.customize(factory);
EmbeddedServletContainer container = factory.getEmbeddedServletContainer();
Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat();
StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0];
assertThat(context.getUseHttpOnly()).isFalse();
container.stop();
}
@Test
public void defaultUseForwardHeadersUndertow() throws Exception {
UndertowEmbeddedServletContainerFactory container = spy(