Add SameSite cookie support for servlet web servers

Update Tomcat, Jetty and Undertow `ServletWebServerFactory`
implementations so that they can write SameSite cookie attributes.

The session cookie will be customized whenever the
`server.servlet.session.cookie.same-site` property is set.

Other cookies can be customized with the new `CookieSameSiteSupplier`
interface which can be registered using `@Bean` methods.

Closes gh-20971

Co-authored-by Andy Wilkinson <[email protected]>

Author: philwebb

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,6 +41,7 @@
 import org.springframework.boot.web.server.WebServerFactoryCustomizerBeanPostProcessor;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.boot.web.servlet.WebListenerRegistrar;
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -73,9 +74,11 @@ public class ServletWebServerFactoryAutoConfiguration {
 
 	@Bean
 	public ServletWebServerFactoryCustomizer servletWebServerFactoryCustomizer(ServerProperties serverProperties,
-			ObjectProvider<WebListenerRegistrar> webListenerRegistrars) {
+			ObjectProvider<WebListenerRegistrar> webListenerRegistrars,
+			ObjectProvider<CookieSameSiteSupplier> cookieSameSiteSuppliers) {
 		return new ServletWebServerFactoryCustomizer(serverProperties,
-				webListenerRegistrars.orderedStream().collect(Collectors.toList()));
+				webListenerRegistrars.orderedStream().collect(Collectors.toList()),
+				cookieSameSiteSuppliers.orderedStream().collect(Collectors.toList()));
 	}
 
 	@Bean

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryCustomizer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,11 +24,13 @@
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.boot.web.servlet.WebListenerRegistrar;
 import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
 import org.springframework.core.Ordered;
+import org.springframework.util.CollectionUtils;
 
 /**
- * {@link WebServerFactoryCustomizer} to apply {@link ServerProperties} to servlet web
- * servers.
+ * {@link WebServerFactoryCustomizer} to apply {@link ServerProperties} and
+ * {@link WebListenerRegistrar WebListenerRegistrars} to servlet web servers.
  *
  * @author Brian Clozel
  * @author Stephane Nicoll
@@ -41,16 +43,24 @@ public class ServletWebServerFactoryCustomizer
 
 	private final ServerProperties serverProperties;
 
-	private final Iterable<WebListenerRegistrar> webListenerRegistrars;
+	private final List<WebListenerRegistrar> webListenerRegistrars;
+
+	private final List<CookieSameSiteSupplier> cookieSameSiteSuppliers;
 
 	public ServletWebServerFactoryCustomizer(ServerProperties serverProperties) {
 		this(serverProperties, Collections.emptyList());
 	}
 
 	public ServletWebServerFactoryCustomizer(ServerProperties serverProperties,
 			List<WebListenerRegistrar> webListenerRegistrars) {
+		this(serverProperties, webListenerRegistrars, null);
+	}
+
+	ServletWebServerFactoryCustomizer(ServerProperties serverProperties,
+			List<WebListenerRegistrar> webListenerRegistrars, List<CookieSameSiteSupplier> cookieSameSiteSuppliers) {
 		this.serverProperties = serverProperties;
 		this.webListenerRegistrars = webListenerRegistrars;
+		this.cookieSameSiteSuppliers = cookieSameSiteSuppliers;
 	}
 
 	@Override
@@ -77,6 +87,9 @@ public void customize(ConfigurableServletWebServerFactory factory) {
 		for (WebListenerRegistrar registrar : this.webListenerRegistrars) {
 			registrar.register(factory);
 		}
+		if (!CollectionUtils.isEmpty(this.cookieSameSiteSuppliers)) {
+			factory.setCookieSameSiteSuppliers(this.cookieSameSiteSuppliers);
+		}
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryAutoConfigurationTests.java

@@ -51,7 +51,9 @@
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.boot.web.servlet.ServletRegistrationBean;
 import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
+import org.springframework.boot.web.servlet.server.AbstractServletWebServerFactory;
 import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
 import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -369,6 +371,14 @@ void forwardedHeaderFilterWhenFilterAlreadyRegisteredShouldBackOff() {
 				.run((context) -> assertThat(context).hasSingleBean(FilterRegistrationBean.class));
 	}
 
+	@Test
+	void cookieSameSiteSuppliersAreApplied() {
+		this.contextRunner.withUserConfiguration(CookieSameSiteSupplierConfiguration.class).run((context) -> {
+			AbstractServletWebServerFactory webServerFactory = context.getBean(AbstractServletWebServerFactory.class);
+			assertThat(webServerFactory.getCookieSameSiteSuppliers()).hasSize(2);
+		});
+	}
+
 	private ContextConsumer<AssertableWebApplicationContext> verifyContext() {
 		return this::verifyContext;
 	}
@@ -656,4 +666,19 @@ FilterRegistrationBean<ForwardedHeaderFilter> testForwardedHeaderFilter() {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	static class CookieSameSiteSupplierConfiguration {
+
+		@Bean
+		CookieSameSiteSupplier cookieSameSiteSupplier1() {
+			return CookieSameSiteSupplier.ofLax().whenHasName("test1");
+		}
+
+		@Bean
+		CookieSameSiteSupplier cookieSameSiteSupplier2() {
+			return CookieSameSiteSupplier.ofNone().whenHasName("test2");
+		}
+
+	}
+
 }

spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/servlet.adoc

@@ -588,6 +588,39 @@ TIP: See the {spring-boot-autoconfigure-module-code}/web/ServerProperties.java[`
 
 
 
+[[web.servlet.embedded-container.customizing.samesite]]
+===== SameSite Cookies
+The `SameSite` cookie attribute can be used by web browsers to control if and how cookies are submitted in cross-site requests.
+The attribute is particularly relevant for modern web browsers which have started to change the default value that is used when the attribute is missing.
+
+If you want to change the `SameSite` attribute of your session cookie, you can use the configprop:server.servlet.session.cookie.same-site[] property.
+This property is supported by auto-configured Tomcat, Jetty and Undertow servers.
+It is also used to configure Spring Session servlet based `SessionRepository` beans.
+
+For example, if you want your session cookie to have a `SameSite` attribute of `None`, you can add the following to you `application.properties` or `application.yaml` file:
+
+[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
+----
+	server:
+	  servlet:
+	    session:
+	      cookie:
+	        same-site: "none"
+----
+
+If you want to change the `SameSite` attribute on other cookies added to your `HttpServletResponse`, you can use a `CookieSameSiteSupplier`.
+The `CookieSameSiteSupplier` is passed a `Cookie` and may return a `SameSite` value, or `null`.
+
+There are a number of convenience factory and filter methods that you can use to quickly match specific cookies.
+For example, adding the following bean will automatically apply a `SameSite` of `Lax` for all cookies with a name that matches the regular expression `myapp.*`.
+
+[source,java,indent=0,subs="verbatim"]
+----
+include::{docs-java}/web/servlet/embeddedcontainer/customizing/samesite/MySameSiteConfiguration.java[]
+----
+
+
+
 [[web.servlet.embedded-container.customizing.programmatic]]
 ===== Programmatic Customization
 If you need to programmatically configure your embedded servlet container, you can register a Spring bean that implements the `WebServerFactoryCustomizer` interface.

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/servlet/embeddedcontainer/customizing/samesite/MySameSiteConfiguration.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2012-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.docs.web.servlet.embeddedcontainer.customizing.samesite;
+
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration(proxyBeanMethods = false)
+public class MySameSiteConfiguration {
+
+	@Bean
+	public CookieSameSiteSupplier applicationCookieSameSiteSupplier() {
+		return CookieSameSiteSupplier.ofLax().whenHasNameMatching("myapp.*");
+	}
+
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java

@@ -33,6 +33,13 @@
 import java.util.List;
 import java.util.Set;
 
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.eclipse.jetty.http.HttpCookie;
 import org.eclipse.jetty.http.MimeTypes;
 import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory;
 import org.eclipse.jetty.server.AbstractConnector;
@@ -41,6 +48,7 @@
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.ErrorHandler;
@@ -63,16 +71,19 @@
 import org.eclipse.jetty.webapp.Configuration;
 import org.eclipse.jetty.webapp.WebAppContext;
 
+import org.springframework.boot.web.server.Cookie.SameSite;
 import org.springframework.boot.web.server.ErrorPage;
 import org.springframework.boot.web.server.MimeMappings;
 import org.springframework.boot.web.server.Shutdown;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.boot.web.servlet.ServletContextInitializer;
 import org.springframework.boot.web.servlet.server.AbstractServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.CookieSameSiteSupplier;
 import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
 import org.springframework.context.ResourceLoaderAware;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 
@@ -199,6 +210,9 @@ private Handler addHandlerWrappers(Handler handler) {
 		if (StringUtils.hasText(getServerHeader())) {
 			handler = applyWrapper(handler, JettyHandlerWrappers.createServerHeaderHandlerWrapper(getServerHeader()));
 		}
+		if (!CollectionUtils.isEmpty(getCookieSameSiteSuppliers())) {
+			handler = applyWrapper(handler, new SuppliedSameSiteCookieHandlerWrapper(getCookieSameSiteSuppliers()));
+		}
 		return handler;
 	}
 
@@ -245,6 +259,10 @@ protected final void configureWebAppContext(WebAppContext context, ServletContex
 
 	private void configureSession(WebAppContext context) {
 		SessionHandler handler = context.getSessionHandler();
+		SameSite sessionSameSite = getSession().getCookie().getSameSite();
+		if (sessionSameSite != null) {
+			handler.setSameSite(HttpCookie.SameSite.valueOf(sessionSameSite.name()));
+		}
 		Duration sessionTimeout = getSession().getTimeout();
 		handler.setMaxInactiveInterval(isNegative(sessionTimeout) ? -1 : (int) sessionTimeout.getSeconds());
 		if (getSession().isPersistent()) {
@@ -661,4 +679,66 @@ private Class<? extends EventListener> loadClass(WebAppContext context, String c
 
 	}
 
+	/**
+	 * {@link HandlerWrapper} to apply {@link CookieSameSiteSupplier supplied}
+	 * {@link SameSite} cookie values.
+	 */
+	private static class SuppliedSameSiteCookieHandlerWrapper extends HandlerWrapper {
+
+		private final List<CookieSameSiteSupplier> suppliers;
+
+		SuppliedSameSiteCookieHandlerWrapper(List<CookieSameSiteSupplier> suppliers) {
+			this.suppliers = suppliers;
+		}
+
+		@Override
+		public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
+				throws IOException, ServletException {
+			HttpServletResponse wrappedResponse = new ResposeWrapper(response);
+			super.handle(target, baseRequest, request, wrappedResponse);
+		}
+
+		class ResposeWrapper extends HttpServletResponseWrapper {
+
+			ResposeWrapper(HttpServletResponse response) {
+				super(response);
+			}
+
+			@Override
+			public void addCookie(Cookie cookie) {
+				SameSite sameSite = getSameSite(cookie);
+				if (sameSite != null) {
+					String comment = HttpCookie.getCommentWithoutAttributes(cookie.getComment());
+					String sameSiteComment = getSameSiteComment(sameSite);
+					cookie.setComment((comment != null) ? comment + sameSiteComment : sameSiteComment);
+				}
+				super.addCookie(cookie);
+			}
+
+			private String getSameSiteComment(SameSite sameSite) {
+				switch (sameSite) {
+				case NONE:
+					return HttpCookie.SAME_SITE_NONE_COMMENT;
+				case LAX:
+					return HttpCookie.SAME_SITE_LAX_COMMENT;
+				case STRICT:
+					return HttpCookie.SAME_SITE_STRICT_COMMENT;
+				}
+				throw new IllegalStateException("Unsupported SameSite value " + sameSite);
+			}
+
+			private SameSite getSameSite(Cookie cookie) {
+				for (CookieSameSiteSupplier supplier : SuppliedSameSiteCookieHandlerWrapper.this.suppliers) {
+					SameSite sameSite = supplier.getSameSite(cookie);
+					if (sameSite != null) {
+						return sameSite;
+					}
+				}
+				return null;
+			}
+
+		}
+
+	}
+
 }