Geek Answers Handbook

Disable HttpOnly Spring Download

I would like to disable the HttpOnly sessions, which in my opinion are the default for Spring Boot. How to disable HttpOnly on Spring boot?

I currently have code, for example:

@RequestMapping(value = "/stuff", method = GET) public @ResponseBody myObject doStuff(HttpSession session) { session.setAttribute("foo", "bar"); return new MyObject(); }

This returns the response header when calling HTTP:

 Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly

Check out the HttpOnly flag. I would like to disable this. How to do it?

Side note: Yes, I know that httpOnly is a security feature, and by disabling it, javascript can access my cookie, i.e. XSS.

In addition, I have no other configuration than the standard one.

 @ComponentScan @EnableAutoConfiguration public class WebApplication { public static void main(String[] args) { SpringApplication app = new SpringApplication(WebApplication.class); app.run(args); } }
+11
java spring spring-boot
source share
4 answers

Tomcat has a context attribute called useHttpOnly that checks:

Should the HttpOnly flag be set on session cookies to prevent the side of the script from accessing the session identifier? The default value is true.

Therefore you need to set to false. The associated configuration applies to non-embedded Tomcat servers. We need to find a way to do this with the built-in Tomcat.

This is how you do it. You declare an @Bean method to add an EmbeddedServletContainerFactory to the context. You will configure the returned TomcatEmbeddedServletContainerFactory by specifying TomcatContextCustomizer , which sets up the corresponding property.

 @Bean public EmbeddedServletContainerFactory servletContainer() { TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory(); factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer())); return factory; } static class CustomCustomizer implements TomcatContextCustomizer { @Override public void customize(Context context) { context.setUseHttpOnly(false); } }

This solution works because you are using Tomcat. With different Servlet containers, the solution will be different.

+4
source

Another alternative to the accepted answer, which goes with spring boot, overrides the way you configure your EmbeddedServletContainerCustomizer .

First we implement the interface:

 @Configuration @ComponentScan @EnableAutoConfiguration public class Application implements EmbeddedServletContainerCustomizer

Then add an override for the configuration method:

 @Override public void customize(final ConfigurableEmbeddedServletContainer container) { ((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer() { @Override public void customize(Context context) { context.setUseHttpOnly(false); } }); }

By the way, I found that httpOnly was not configured at all for me .. so I had to use this method to enable httpOnly (obviously, my parameter is above "true").

You can also use this method to configure other things in tomcat, such as enabling gzip for json and expanding the maximum HTTP header (in the case of Kerberos authentication, I needed to do this):

 ((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer() { @Override public void customize(final Connector connector) { AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler(); httpProtocol.setMaxHttpHeaderSize(65536); httpProtocol.setCompression("on"); httpProtocol.setCompressionMinSize(256); String mimeTypes = httpProtocol.getCompressableMimeTypes(); String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE; httpProtocol.setCompressableMimeTypes(mimeTypesWithJson); } });
+12
source

At least on Spring Boot> = 1.4, it's even easier, just use the following property:

 server.session.cookie.http-only= # "HttpOnly" flag for the session cookie. configuration property.

as described in the official documentation .

+4
source 
 server.servlet.session.cookie.http-only=false

(Property updated)

Link https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

0
source

More articles:


All Articles