Also call setHttpOnly property on Tomcat context

Update `ServerProperties` to also call `setHttpOnly` on the `TomcatContext`. It appears that this is required in addition to using the `ServletContextInitializer` to setup `SessionCookieConfig`. Closes gh-12580
8 years ago · 4d84933ee4
2 changed files with 25 additions and 0 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
@ -864,6 +864,17 @@ public class ServerProperties
				@@ -864,6 +864,17 @@ public class ServerProperties
 					.getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) {
 				customizeErrorReportValve(factory);
 			}
+			Cookie cookie = serverProperties.getSession().getCookie();
+			if (cookie.getHttpOnly() != null) {
+				factory.addContextCustomizers(new TomcatContextCustomizer() {
+
+					@Override
+					public void customize(Context context) {
+						context.setUseHttpOnly(cookie.getHttpOnly());
+					}
+
+				});
+			}
 		}

 		private void customizeErrorReportValve(
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode;
				@@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode;

 import org.apache.catalina.Context;
 import org.apache.catalina.Valve;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.valves.AccessLogValve;
 import org.apache.catalina.valves.ErrorReportValve;
 import org.apache.catalina.valves.RemoteIpValve;
@ -734,6 +736,18 @@ public class ServerPropertiesTests {
				@@ -734,6 +736,18 @@ public class ServerPropertiesTests {
 				"spring-boot-*.jar");
 	}

+	@Test
+	public void customTomcatHttpOnlyCookie() throws Exception {
+		this.properties.getSession().getCookie().setHttpOnly(false);
+		TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
+		this.properties.customize(factory);
+		EmbeddedServletContainer container = factory.getEmbeddedServletContainer();
+		Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat();
+		StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0];
+		assertThat(context.getUseHttpOnly()).isFalse();
+		container.stop();
+	}
+
 	@Test
 	public void defaultUseForwardHeadersUndertow() throws Exception {
 		UndertowEmbeddedServletContainerFactory container = spy(