Ensure cookie is secure

RallySoftware · Feb 5, 2020 · 0859748 · 0859748
1 parent 7966233
commit 0859748
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 14 deletions.
diff --git a/mujina-common/pom.xml b/mujina-common/pom.xml
@@ -21,7 +21,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.2.0</version>
+    <version>7.3.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

diff --git a/mujina-idp/pom.xml b/mujina-idp/pom.xml
@@ -21,7 +21,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.2.0</version>
+    <version>7.3.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

diff --git a/mujina-idp/src/main/java/mujina/idp/WebSecurityConfigurer.java b/mujina-idp/src/main/java/mujina/idp/WebSecurityConfigurer.java
@@ -29,6 +29,7 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+import javax.servlet.SessionCookieConfig;
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
 import java.net.URISyntaxException;
@@ -44,6 +45,9 @@
 @EnableWebSecurity
 public class WebSecurityConfigurer implements WebMvcConfigurer {
 
+  @Value("${secure_cookie}")
+  private boolean secureCookie;
+
   @Bean
   @Autowired
   public SAMLMessageHandler samlMessageHandler(@Value("${idp.clock_skew}") int clockSkew,
@@ -96,7 +100,12 @@ public JKSKeyManager keyManager(@Value("${idp.entity_id}") String idpEntityId,
   @Bean
   public ServletContextInitializer servletContextInitializer() {
     //otherwise the two localhost instances override each other session
-    return servletContext -> servletContext.getSessionCookieConfig().setName("mujinaIdpSessionId");
+    return servletContext -> {
+      SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
+      sessionCookieConfig.setName("mujinaIdpSessionId");
+      sessionCookieConfig.setSecure(this.secureCookie);
+      sessionCookieConfig.setHttpOnly(true);
+    };
   }
 
   @Configuration

diff --git a/mujina-idp/src/main/resources/application.yml b/mujina-idp/src/main/resources/application.yml
@@ -11,8 +11,8 @@ server:
     session:
       # 8 hours before we time-out
       timeout: 28800
-      cookie:
-        secure: false
+
+secure_cookie: false
 
 # Identity Provider
 idp:
@@ -46,7 +46,7 @@ info:
   build:
     artifact: "@project.artifactId@"
     version: "@project.version@"
-    
+
 # We disable all endpoints except health for the load-balancer and info for git information.
 management:
   endpoints:
@@ -58,4 +58,4 @@ management:
     health:
       enabled: true
     info:
-      enabled: true
+      enabled: true
diff --git a/mujina-sp/pom.xml b/mujina-sp/pom.xml
@@ -21,7 +21,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.2.0</version>
+    <version>7.3.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

diff --git a/mujina-sp/src/main/java/mujina/sp/WebSecurityConfigurer.java b/mujina-sp/src/main/java/mujina/sp/WebSecurityConfigurer.java
@@ -45,6 +45,7 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import javax.servlet.Filter;
+import javax.servlet.SessionCookieConfig;
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
 import java.net.URI;
@@ -84,6 +85,9 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
   @Value("${sp.acs_location_path}")
   private String assertionConsumerServiceURLPath;
 
+  @Value("${secure_cookie}")
+  private boolean secureCookie;
+
   private DefaultResourceLoader defaultResourceLoader = new DefaultResourceLoader();
 
   @Bean
@@ -109,7 +113,12 @@ public SAMLEntryPoint samlEntryPoint() {
   @Bean
   public ServletContextInitializer servletContextInitializer() {
     //otherwise the two localhost instances override each other session
-    return servletContext -> servletContext.getSessionCookieConfig().setName("mujinaSpSessionId");
+    return servletContext -> {
+      SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
+      sessionCookieConfig.setName("mujinaSpSessionId");
+      sessionCookieConfig.setSecure(this.secureCookie);
+      sessionCookieConfig.setHttpOnly(true);
+    };
   }
 
   @Override

diff --git a/mujina-sp/src/main/resources/application.yml b/mujina-sp/src/main/resources/application.yml
@@ -11,8 +11,8 @@ server:
     session:
       # 8 hours before we time-out
       timeout: 28800
-      cookie:
-        secure: false
+
+secure_cookie: false
 
 sp:
   # base url
@@ -48,7 +48,7 @@ info:
   build:
     artifact: "@project.artifactId@"
     version: "@project.version@"
-    
+
 # We disable all endpoints except health for the load-balancer and info for git information.
 management:
   endpoints:
@@ -60,4 +60,4 @@ management:
     health:
       enabled: true
     info:
-      enabled: true
+      enabled: true
diff --git a/pom.xml b/pom.xml
@@ -20,7 +20,7 @@
 
   <groupId>org.openconext</groupId>
   <artifactId>mujina</artifactId>
-  <version>7.2.0</version>
+  <version>7.3.0</version>
   <packaging>pom</packaging>
 
   <properties>