samesite-examples
samesite-examples copied to clipboard
GoogleChromeLabs
Create java-tomcat9.md
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
:memo: Please visit https://cla.developers.google.com/ to sign.
Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.
What to do if you already signed the CLA
Individual signers
- It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.
Corporate signers
- Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
- The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
- The email used to register you as an authorized contributor must also be attached to your GitHub account.
ℹ️ Googlers: Go here for more info.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
Apologies, I don't have recent Tomcat experience, so just trying to understand. Is this to set None for a specific cookie or is it setting it for all cookies?
The example I shared is for a simple use case like creating the APIs using Spring Boot Application & deploy the war file in a apache tomcat server
Would you be able to change this to show setting SameSite=Lax for the default value and how to set SameSite=None for specific cookies that need it? I appreciate the contribution, but I definitely don't want to encourage setting SameSite=None on all cookies as it's unlikely to be the desired configuration.
I don't have idea how to handle the use case you stated. I will check & update in the comments
@rowan-m for conditionally adding the cookies we can do it programmatically, I was not able to do it through the server though. A sample code in spring-boot can be:-
package com.api.filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
@Order(1)
public class TokenFilter extends OncePerRequestFilter {
/**
* Same contract as for {@code doFilter}, but guaranteed to be
* just invoked once per request within a single request thread.
* See {@link #shouldNotFilterAsyncDispatch()} for details.
* <p>Provides HttpServletRequest and HttpServletResponse arguments instead of the
* default ServletRequest and ServletResponse ones.
*
* @param request
* @param response
* @param filterChain
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if ("OPTIONS".equalsIgnoreCase(request.getMethod()) || request.getRequestURI().equalsIgnoreCase("/")) {
response.setStatus(HttpServletResponse.SC_OK);
return;
}
if (updateCookie(request)) {
Cookie cookie = new Cookie("SameSite", "None");
cookie.setSecure(true);
response.addCookie(cookie);
filterChain.doFilter(request, response);
return;
}
}
private boolean updateCookie(HttpServletRequest request) {
if (request.getRequestURI().contains("/200_response")
|| request.getRequestURI().contains("/api/token")
|| request.getRequestURI().contains("/api/encryption")
|| request.getRequestURI().contains("/healthCheck")) {
return true;
}
return false;
}
}