首页

关闭 HttpOnly Spring Boot

java httponly spring spring-boot
2022-09-02 20:12:40

我想关闭HttpOnly会话,我认为这是Spring Boot的默认会话。如何在 Spring Boot 上关闭 HttpOnly?

我目前有这样的代码:

@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
        session.setAttribute("foo", "bar");
        return  new MyObject();
}

这将在 HTTP 调用上返回响应标头:

Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly

请注意 HttpOnly 标志。我想把它关掉。我该怎么做?

附注:是的,我知道httpOnly是一个安全功能,通过关闭它允许javascript访问我的cookie,即XSS。

另外,除了默认值之外,我没有任何配置。

@ComponentScan
@EnableAutoConfiguration
public class WebApplication {

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication(WebApplication.class);
        app.run(args);
    }
}

答案 1

适合弹簧靴的已接受答案的另一种替代方法是覆盖.EmbeddedServletContainerCustomizer

首先,实现接口:

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer

然后为自定义方法添加覆盖:

@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
    ((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
    {
        @Override
        public void customize(Context context)
        {
            context.setUseHttpOnly(false);
        }
    });
}

顺便说一句,我发现httpOnly根本没有为我设置。所以我不得不使用这种方法来打开httpOnly(显然我上面的设置是“true”)。

您还可以使用此方法在tomcat中调整其他内容,例如为json打开gzip并扩展最大http标头大小(在kerberos身份验证的情况下,我需要这样做):

((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
    @Override
    public void customize(final Connector connector)
    {
        AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
        httpProtocol.setMaxHttpHeaderSize(65536);
        httpProtocol.setCompression("on");
        httpProtocol.setCompressionMinSize(256);
        String mimeTypes = httpProtocol.getCompressableMimeTypes();
        String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
        httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
    }
});

答案 2
server.servlet.session.cookie.http-only=false

(物业已更新)

参考 https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html


推荐
更多 »
标签
更多 »
php pass-by-reference optional-parameters default-value javascript arrays dom function string object serialization tostring visibility syntax jslint use-strict operators equality equality-operator identity-operator datetime timestamp date-arithmetic redirect angularjs loops foreach iteration scope variables
推荐
更多 »