Cookie name prefix __Host- is added only when https is used

WE2-967

Signed-off-by: Sven Mitt <[email protected]>

Author: svenzik

…/config/SameSiteCookieConfiguration.java …/example/config/CookieConfiguration.javaexample/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java renamed to example/src/main/java/eu/webeid/example/config/CookieConfiguration.java example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java renamed to example/src/main/java/eu/webeid/example/config/CookieConfiguration.java

@@ -23,13 +23,16 @@
 package eu.webeid.example.config;
 
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
+import org.springframework.boot.web.server.WebServerFactoryCustomizer;
+import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
-public class SameSiteCookieConfiguration implements WebMvcConfigurer {
+public class CookieConfiguration implements WebMvcConfigurer {
 
     @Bean
     public TomcatContextCustomizer configureSameSiteCookies() {
@@ -39,4 +42,16 @@ public TomcatContextCustomizer configureSameSiteCookies() {
             context.setCookieProcessor(cookieProcessor);
         };
     }
+
+    @Bean
+    @ConditionalOnExpression("'${web-eid-auth-token.validation.local-origin}'.startsWith('http:')")
+    public WebServerFactoryCustomizer<ConfigurableServletWebServerFactory> httpSessionCookieCustomizer() {
+        return factory -> factory.addInitializers(servletContext -> servletContext.getSessionCookieConfig().setName("JSESSIONID"));
+    }
+
+    @Bean
+    @ConditionalOnExpression("'${web-eid-auth-token.validation.local-origin}'.startsWith('https:')")
+    public WebServerFactoryCustomizer<ConfigurableServletWebServerFactory> httpsSessionCookieCustomizer() {
+        return factory -> factory.addInitializers(servletContext -> servletContext.getSessionCookieConfig().setName("__Host-JSESSIONID"));
+    }
 }

example/src/main/resources/application.properties

@@ -1,2 +1 @@
 spring.profiles.active=dev
-server.servlet.session.cookie.name=__Host-JSESSIONID

example/src/test/java/eu/webeid/example/config/CookieHttpTest.java

@@ -0,0 +1,28 @@
+package eu.webeid.example.config;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.SessionCookieConfig;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+import org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext;
+import org.springframework.test.context.TestPropertySource;
+
+@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
+@TestPropertySource(properties = {"web-eid-auth-token.validation.local-origin=http://localhost"})
+class CookieHttpTest {
+
+    @Autowired
+    private ServletWebServerApplicationContext context;
+
+    @Test
+    void whenLocalOriginStartsWithHttp_thenCookeDoesNotHaveHostPrefix() {
+        ServletContext servletContext = context.getServletContext();
+        SessionCookieConfig cookieConfig = servletContext.getSessionCookieConfig();
+        assertThat(cookieConfig.getName()).isEqualTo("JSESSIONID");
+    }
+
+}

example/src/test/java/eu/webeid/example/config/CookieHttpsTest.java

@@ -0,0 +1,28 @@
+package eu.webeid.example.config;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.SessionCookieConfig;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+import org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext;
+import org.springframework.test.context.TestPropertySource;
+
+@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
+@TestPropertySource(properties = {"web-eid-auth-token.validation.local-origin=https://localhost"})
+class CookieHttpsTest {
+
+    @Autowired
+    private ServletWebServerApplicationContext context;
+
+    @Test
+    void whenLocalOriginStartsWithHttp_thenCookeDoesNotHaveHostPrefix() {
+        ServletContext servletContext = context.getServletContext();
+        SessionCookieConfig cookieConfig = servletContext.getSessionCookieConfig();
+        assertThat(cookieConfig.getName()).isEqualTo("__Host-JSESSIONID");
+    }
+
+}