From 4d84933ee46ae6095bd916819c7b38f3706f006e Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Wed, 30 May 2018 12:02:46 -0700 Subject: [PATCH] Also call setHttpOnly property on Tomcat context Update `ServerProperties` to also call `setHttpOnly` on the `TomcatContext`. It appears that this is required in addition to using the `ServletContextInitializer` to setup `SessionCookieConfig`. Closes gh-12580 --- .../boot/autoconfigure/web/ServerProperties.java | 11 +++++++++++ .../autoconfigure/web/ServerPropertiesTests.java | 14 ++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 1ad128448ca..fe8dac9a37d 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -864,6 +864,17 @@ public class ServerProperties .getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) { customizeErrorReportValve(factory); } + Cookie cookie = serverProperties.getSession().getCookie(); + if (cookie.getHttpOnly() != null) { + factory.addContextCustomizers(new TomcatContextCustomizer() { + + @Override + public void customize(Context context) { + context.setUseHttpOnly(cookie.getHttpOnly()); + } + + }); + } } private void customizeErrorReportValve( diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java index c15666133b5..571af472e7b 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java @@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode; import org.apache.catalina.Context; import org.apache.catalina.Valve; +import org.apache.catalina.core.StandardContext; +import org.apache.catalina.startup.Tomcat; import org.apache.catalina.valves.AccessLogValve; import org.apache.catalina.valves.ErrorReportValve; import org.apache.catalina.valves.RemoteIpValve; @@ -734,6 +736,18 @@ public class ServerPropertiesTests { "spring-boot-*.jar"); } + @Test + public void customTomcatHttpOnlyCookie() throws Exception { + this.properties.getSession().getCookie().setHttpOnly(false); + TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory(); + this.properties.customize(factory); + EmbeddedServletContainer container = factory.getEmbeddedServletContainer(); + Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat(); + StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0]; + assertThat(context.getUseHttpOnly()).isFalse(); + container.stop(); + } + @Test public void defaultUseForwardHeadersUndertow() throws Exception { UndertowEmbeddedServletContainerFactory container = spy(