? ? ? 通过安全扫描工具对spring技术栈开发的应用进行漏洞检查时,通常会扫描出关于cookie相关的漏洞,其中一个是:?Cookie without SameSite attribute,对于其描述通常如下:?
When cookies lack the SameSite attribute, Web browsers may apply different and
Cookie cookie = new Cookie("test_001", UriUtils.encode("123457890", "UTF-8"));
cookie.setPath("/");
cookie.setMaxAge(-1);
cookie.setHttpOnly(true);
Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
boolean firstHeader = true;
for (String header : headers) { // there can be multiple Set-Cookie attributes
if (firstHeader) {
response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; SameSite=%s", header, this.cookieSameSite));
firstHeader = false;
continue;
}
response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; SameSite=%s", header, this.cookieSameSite));
}3. 对于springboot2.6及以上版本,设置:server.session.cookie.same-site=LAX
但对于springboot2.6以下版本来说,利用spring security本身的机制解决此问题没有统一的方式。考虑到spring在写http header时利用了org.springframework.security.web.header.HeaderWriter,所以可以通过自定义一个SameSiteCookieHeaderWriter来实现。具体实现如下:
? a) 实现一个自定义HeaderWriter:?SameSiteCookieHeaderWriter
? ??
import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.security.web.header.HeaderWriter;
/**
* 安全问题: Cookie without SameSite attribute
*
*/
public class SameSiteCookieHeaderWriter implements HeaderWriter {
private String cookieSameSite;
public SameSiteCookieHeaderWriter(String cookieSameSite) {
this.cookieSameSite = cookieSameSite;
if (this.cookieSameSite.equalsIgnoreCase("NONE") || this.cookieSameSite.equalsIgnoreCase("LAX")
|| this.cookieSameSite.equalsIgnoreCase("STRICT")) {
this.cookieSameSite = "LAX";
} else {
this.cookieSameSite = this.cookieSameSite.toUpperCase();
}
}
/*
*(non-Javadoc)
* @see org.springframework.security.web.header.HeaderWriter#writeHeaders(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
boolean firstHeader = true;
for (String header : headers) { // there can be multiple Set-Cookie attributes
if (firstHeader) {
response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; SameSite=%s", header, this.cookieSameSite));
firstHeader = false;
continue;
}
response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; SameSite=%s", header, this.cookieSameSite));
}
}
}b) 在WebSecurityConfigurerAdapter的configure(HttpSecurity http) 中加上此SameSiteHeaderWriter
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http. //
cors().and(). //
csrf().disable().//
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 设置 X-Frame-Options
// disable 是没有 X-Frame-Options
// 没有 disable 就是 DENY
// sameOrigin 就是 SAMEORIGIN
http.headers().frameOptions().sameOrigin(); // disable submit dc99635
// http.headers().frameOptions().disable(); // 按配置来
http.headers().xssProtection().xssProtectionEnabled(true).block(true);
http.headers().addHeaderWriter(new SameSiteCookieHeaderWriter("LAX"));
}
}
这种方法相对来说比较优雅,其原理是利用springsecurity的HeaderWriter机制将原来的Set-Cookie重写了。