Skip to content

S
spring-boot
Commit 4d84933e authored by Phillip Webb's avatar Phillip Webb
Browse files
Options

Also call setHttpOnly property on Tomcat context 

Update `ServerProperties` to also call `setHttpOnly` on the
`TomcatContext`. It appears that this is required in addition to
using the `ServletContextInitializer` to setup `SessionCookieConfig`.

Closes gh-12580
parent b03f8905
Hide whitespace changes
Inline Side-by-side
Showing with 25 additions and 0 deletions
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
View file @ 4d84933e
...@@ -864,6 +864,17 @@ public class ServerProperties ...@@ -864,6 +864,17 @@ public class ServerProperties
.getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) { .getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) {
customizeErrorReportValve(factory); customizeErrorReportValve(factory);
} }
Cookie cookie = serverProperties.getSession().getCookie();
if (cookie.getHttpOnly() != null) {
factory.addContextCustomizers(new TomcatContextCustomizer() {
@Override
public void customize(Context context) {
context.setUseHttpOnly(cookie.getHttpOnly());
}
});
}
} }
private void customizeErrorReportValve( private void customizeErrorReportValve(
......
spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
View file @ 4d84933e
...@@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode; ...@@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.Valve; import org.apache.catalina.Valve;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.valves.AccessLogValve; import org.apache.catalina.valves.AccessLogValve;
import org.apache.catalina.valves.ErrorReportValve; import org.apache.catalina.valves.ErrorReportValve;
import org.apache.catalina.valves.RemoteIpValve; import org.apache.catalina.valves.RemoteIpValve;
...@@ -734,6 +736,18 @@ public class ServerPropertiesTests { ...@@ -734,6 +736,18 @@ public class ServerPropertiesTests {
"spring-boot-*.jar"); "spring-boot-*.jar");
} }
@Test
public void customTomcatHttpOnlyCookie() throws Exception {
this.properties.getSession().getCookie().setHttpOnly(false);
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
this.properties.customize(factory);
EmbeddedServletContainer container = factory.getEmbeddedServletContainer();
Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat();
StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0];
assertThat(context.getUseHttpOnly()).isFalse();
container.stop();
}
@Test @Test
public void defaultUseForwardHeadersUndertow() throws Exception { public void defaultUseForwardHeadersUndertow() throws Exception {
UndertowEmbeddedServletContainerFactory container = spy( UndertowEmbeddedServletContainerFactory container = spy(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment