[JAVA] SameSite cookie in Spring Boot (Spring Web MVC + Tomcat)

I tried to find out how to use SameSite cookie with Spring Boot (Spring Web MVC + Tomcat).

What is SameSite Cookie?

See the MDN documentation.

Tomcat SameSite cookie support

Tomcat serializes the javax.servlet.http.Cookie to a string in order to write the cookie to the HTTP response. Serialization is done through the ʻorg.apache.tomcat.util.http.CookieProcessor interface. ʻOrg.apache.tomcat.util.http.Rfc6265CookieProcessor is provided as an implementation class, but you can add the SameSite attribute using the setSameSiteCookies method of this Rfc6265CookieProcessor class.

The Rfc6265CookieProcessor set to add the SameSite attribute must be set in ʻorg.apache.catalina.Context`, but for the time being, if it can be used in Spring Boot, that's fine, so we will skip the customization method with Tomcat alone.

Customize Cookie Processor with Spring Boot

In Spring Boot, you can customize Tomcat's Context by providing a component that implements the ʻorg.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer` interface.

You can add the SameSite attribute to a cookie with the following implementation class.

package com.example;

import org.apache.catalina.Context;
import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.stereotype.Component;

@Component
public class SameSiteCookieTomcatContextCustomizer implements TomcatContextCustomizer {

    @Override
    public void customize(final Context context) {
        final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
        cookieProcessor.setSameSiteCookies("Lax");
        context.setCookieProcessor(cookieProcessor);
    }
}

--Complete code example https://github.com/backpaper0/spring-boot-sandbox/tree/master/samesite-cookie-demo

Spring Session has SameSite attribute by default

As @tokuhirom told me, [When using Spring Session, SameSite attribute is added by default](https://github.com/spring-projects/spring-session/blob/2.2.0.RELEASE/spring -session-core / src / main / java / org / springframework / session / web / http / DefaultCookieSerializer.java # L88) It seems.

Summary

I found that there are two ways to use SameSite cookie in Spring Boot (Spring Web MVC + Tomcat).

--Prepare a component that implements TomcatContextCustomizer and set the customized Rfc6265CookieProcessor in Context. --Use Spring Session

Recommended Posts

SameSite cookie in Spring Boot (Spring Web MVC + Tomcat)
Test controller with Mock MVC in Spring Boot
Set context-param in Spring Boot
Spring Boot 2 multi-project in Gradle
[Spring Boot] Web application creation
Major changes in Spring Boot 1.5
NoHttpResponseException in Spring Boot + WireMock
Sample web application that handles multiple databases in Spring Boot 1.5
Spring Boot Hello World in Eclipse
Spring Boot application development in Eclipse
Write test code in Spring Boot
Implement REST API in Spring Boot
What is @Autowired in Spring boot?
Implement Spring Boot application in Gradle
Thymeleaf usage notes in Spring Boot
Spring Boot 2.0.0 does not start built-in tomcat
Launch (old) Spring Boot project in IntelliJ
Build Spring Boot + Docker image in Gradle
Static file access priority in Spring boot
Output Spring Boot log in json format
Local file download memorandum in Spring Boot
Create Java Spring Boot project in IntelliJ
Loosen Thymeleaf syntax checking in Spring Boot
Automatically deploy a web application developed in Java using Jenkins [Spring Boot application]
Start web application development with Spring Boot
Deploy the WEB application by Spring Boot to Tomcat server as WAR
[Practice! ] Display Hello World in Spring Boot
How Dispatcher servlet works in Spring MVC
Use DynamoDB query method in Spring Boot
Try Spring Boot 1 (Environment construction ~ Tomcat startup)
DI SessionScope Bean in Spring Boot 2 Filter
Change session timeout time in Spring Boot
Run WEB application with Spring Boot + Thymeleaf
Add SameSite attribute to cookie in Java
Sign in to a Spring Boot web application on the Microsoft ID platform
Major changes related to Spring Framework 5.0 Web MVC
Asynchronous processing with regular execution in Spring Boot
Run a Spring Boot project in VS Code
Output request and response log in Spring Boot
Use Servlet filter in Spring Boot [Spring Boot 1.x, 2.x compatible]
How to add a classpath in Spring Boot
Java tips-Create a Spring Boot project in Gradle
How to bind to property file in Spring Boot
The official name of Spring MVC is Spring Web MVC
Create a web api server with spring boot
Annotations used in Spring Boot task management tool
View the Gradle task in the Spring Boot project
Challenge Spring Boot
MVC in Eclipse.
Spring Boot Form
Spring Boot Memorandum
gae + spring boot
Memorandum (Spring Web)
Specify the encoding of static resources in Spring Boot
Include external jar in package with Spring boot2 + Maven3
Spring Boot application built-in Tomcat, Apache and WebSocket integration
Please note that Spring Boot + Tomcat 8.5.8 cannot be used!
I checked asynchronous execution of queries in Spring Boot 1.5.9
Spring Security usage memo: Cooperation with Spring MVC and Boot
How to create a Spring Boot project in IntelliJ
SSO with GitHub OAuth in Spring Boot 1.5.x environment