How to set SameSite:Strict for all cookies in spring 5 - spring

Is there anyone can tell me how to add SameSite:Strict to all cookies created in spring 5.1? I know in spring 4, this attribute was not supported. But since Spring 5.1, It can be as declare at here!
But I don't know how to apply this to my project? Where should I put it? Please help me! Thanks!

I cannot add SameSite attribute to my project using Spring because Object javax.servlet.http.Cookie hasn't supported this attribute. But I could custom cookie header in Apache tomcat (version 9.0.11) by add the following line to conf/context.xml:
<Context allowCasualMultipartParsing="true">
...
<CookieProcessor className="org.apache.tomcat.custom.coyote.TomcatCoyoteCustomer"/>
</Context>
And then create a project "CustomCookieProcessor" with TomcatCoyoteCustomer class that extends Rfc6265CookieProcessor class, override method generateHeader and append "SameSite:Strict" to cookie header. Finally, I copy jar file of "CustomCookieProcessor" project to folder lib of Tomcat. You can read more detail about CookieProcessor of Apache Tomcat at here!

Related

Can anyone tell how to change the default view from index.jsp to any other file present inside a folder in spring webmvc

I have created a Spring MVC web project I am trying to set the default view/root view from index.jsp to any other file with a different name with is present inside of folder instead of webapps. I have used java-based configuration instead of xml-based configuration. I have set the prefix and the suffix in WebMvcConfigurerAdapter also. after running the program, it is showing "No mapping found for HTTP request with URI [/AAAService/] in DispatcherServlet with name 'dispatcher'". Can anyone help me with it.
I have set the prefix and the suffix in WebMvcConfigurerAdapter

How can I create jsp page in springboot project?

I have spring boot project in IntelliJ IDEA by maven and when I want create jsp page like name"index.jsp" it being disable and not active as jsp page please help.
How can I solve that problem?
inside /src/main/resources/application.properties (if you dont have this file craete it)
append the following:
spring.mvc.view.prefix: /WEB-INF/jsp/
spring.mvc.view.suffix: .jsp
please note your jsp must be inside WEB-INFF/jsp/ folder, if you want it in another folder just change the value of this property

LegacyCookieProcessor in standalone Tomcat and Spring Boot [duplicate]

My code is working on tomcat 8 version 8.0.33 but on 8.5.4 i get :
An invalid domain [.mydomain] was specified for this cookie.
I have found that Rfc6265CookieProcessor is introduced in tomcat 8 latest versions.
It says on official doc that this can be reverted to LegacyCookieProcessor in context.xml but i don't know how.
Please let me know how to do this.
Thanks
You can try in context.xml
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
reference:
https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html
Case 1: You are using Standalone Tomcat & have access to change files in tomcat server
Please follow answer by #linzkl
Case 2: You are using Standalone Tomcat but you don't have access to change files in tomcat server
Create a new file called context.xml under src/main/webapp/META-INF folder in your application & paste the content given below
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>
When you deploy your application in Standalone Tomcat, the context.xml file you placed under META-INF folder will override the context.xml file given in tomcat/conf/context.xml
Note: If you are following this solution, you have to do it for every single application because META-INF/context.xml is application specific
Case 3: You are using Embedded Tomcat
Create a new bean for WebServerFactoryCustomizer
#Bean
WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
#Override
void customize(TomcatServletWebServerFactory tomcatServletWebServerFactory) {
tomcatServletWebServerFactory.addContextCustomizers(new TomcatContextCustomizer() {
#Override
public void customize(Context context) {
context.setCookieProcessor(new LegacyCookieProcessor());
}
});
}
};
}
Enabling the LegacyCookieProcessor which is used in previous versions of Tomcat has solved the problem in my application. As linzkl mentioned this is explained in Apache's website https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html.
The reason is that the new version of Tomcat does not understand the . (dot) in front of the domain name of the Cookie being used.
Also, make sure to check this post when you are using Internet Explorer. Apparently, it's very likely to break.
You can find context.xml in the following path.
tomcat8/conf/context.xml
<?xml version="1.0" encoding="UTF-8”?>
<!-- The contents of this file will be loaded for each web application —>
<Context>
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!-- <Manager pathname="" /> -->
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor"/>
</Context>
The problem is still with Tomcat9. Same process need to follow for Tomcat 9 to set the class.
Add the class in context.xml file.
If you are using eclipse to run the application, need to set in the context.xml file in the server folder. Refer the below screenshot for more reference.
Hope this helps someone.
SameSite issue in tomcat version < 8.5.47 has resolved
In Tomcat 8.5.47 and bellow (Tomcat 8 versions), setting CookieProcessor tag to enable same site (as given bellow) in context.xml does not work due to a bug in Tomcat.
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="none" />
If you find in this situation where it is not a easy thing to upgrade tomcat immediately (which I faced recently), or if you find any other case where you just need custom processing in cookies; You can write your own CookieProcessor class to get around.
Please find a custom CookieProcessor implementation and details of it's deployment steps here.
In my case I wrote a custom CookieProcessor based on LegacyCookieProcessor source code that allows tomcat 8.5.47 to enable SameSite attribute in cookies.
As mentioned by #atul, this issue persists in Tomcat 9. It will most likely persist moving forward with all future versions of Tomcat, since this is the new standard.
Using the legacy cookie processor (by adding the line above to the context.xml file) is working well for us. However, the true 'fix' is to adjust how your cookie is formed in the first place. This will need to be done in your application, not in Tomcat.
The new cookie processor does not allow the domain to start with a . (dot). Adjusting your cookie (if possible) to start with a value other than that will fix this problem without reverting to the old, legacy cookie processor.
Also, it should be obvious, but I didn't see it mentioned above: after updating the context.xml file, you need to restart the Tomcat service for the change to take effect.
Cheers!

How can I display a JBoss property in JSTL (without using Java)?

I’m using JBoss 7.1.3 and Spring 3.2.11.RELEASE. I have this property defined in my $JBOSS_HOME/standalone/configuration/standalone.xml file
<system-properties>
<property name=“myProperty” value=“myValue”/>
…
In my JSP, through JSTL, is it possible to access this value without any additional code in a Java servlet? If I need to put something in a Spring XML application context file to accommodate this, that’s fine with me.
Assuming those are real system properties, just add a ServletContextListener to your application, and in its contextInitialized() method, store the system properties in the servlet context:
servletContext.setAttribute("systemProperties", System.getProperties());
Then, in any JSP:
<c:out value="${systemProperties.myProperty}"/>

Profiling for different environment Spring MVC

I'm working on a maven Spring project, and I'm running Spring 3.0.7
in my .js file i use url for jquery ajax call like following
url : "/myProjectName/controllerName/MethodName"
In jdbc.properties file my userName & password is like following
jdbc.username=root
jdbc.password=
and some other like this. this is what i do when I work on my pc.
But before uploading my application, I have to change these as following
url : "/controllerName/MethodName"
jdbc.username=myName
jdbc.password=myPass
so what i am doing now is changing this every time manually before uploading my jar in the server.
Now I am wondering if there any way to do this so that I don't have to change this value manually every time before uploading it to the server. I read about profiling I dont know how to use it.
How to do this? Example code is highly appreciated.
You can add 'profile' attribute to your spring configuration file
Look 'Enter bean definition profiles' section at here
Use below code to set you spring profile, may be you can do this in your ServletContextListener
System.setProperty(AbstractEnvironment.DEFAULT_PROFILES_PROPERTY_NAME, [YOUR PROFILE]);
Load both 2 xml file below, only the file match the active profile will effect.
In develop.xml
<beans ... profile="develop">
... beans here will only be loaded while profile is 'develop'
</beans>
In server.xml
<beans ... profile="server">
... beans here will only be loaded while profile is 'server'
</beans>

Resources