关闭 HttpOnly Spring 启动

Question

I would like to turn off HttpOnly sessions which I believe are default for Spring Boot.我想关闭 HttpOnly 会话，我认为这是 Spring Boot 的默认会话。 How would I turn off HttpOnly on spring boot?我如何在春季启动时关闭 HttpOnly？

I currently have code such as:我目前有代码，例如：

@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
        session.setAttribute("foo", "bar");
        return  new MyObject();
}

This returns a response header on the HTTP call:这将返回 HTTP 调用的响应标头：

Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly

Note the HttpOnly flag.请注意 HttpOnly 标志。 I would like to turn that off.我想关闭它。 How do I do so?我该怎么做？

Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie ie XSS.旁注：是的，我知道 httpOnly 是一项安全功能，关闭它允许 javascript 访问我的 cookie，即 XSS。

Also, I do not have any configuration other than default.另外，除了默认配置之外，我没有任何配置。

@ComponentScan
@EnableAutoConfiguration
public class WebApplication {

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication(WebApplication.class);
        app.run(args);
    }
}

Answer 1

Another alternative to the accepted answer that fits into spring boot is overriding the customize method of your EmbeddedServletContainerCustomizer .适合 Spring Boot 的已接受答案的另一种替代方法是覆盖您的EmbeddedServletContainerCustomizer的自定义方法。

First, implement the interface:首先实现接口：

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer

Then add an override for the customize method:然后为自定义方法添加一个覆盖：

@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
    ((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
    {
        @Override
        public void customize(Context context)
        {
            context.setUseHttpOnly(false);
        }
    });
}

Incidentally, I found that the httpOnly wasn't being set at all for me .. so I had to use this method to turn httpOnly on (obviously my setting above is 'true').顺便说一句，我发现根本没有为我设置 httpOnly .. 所以我不得不使用这种方法打开 httpOnly （显然我上面的设置是“true”）。

You can also use this method to adjust other things in tomcat, such as turning on gzip for json and expanding the max http headersize (in the case of kerberos authentication I needed to do this):你也可以用这个方法来调整tomcat中的其他东西，比如为json开启gzip，扩展最大http headersize（在kerberos身份验证的情况下我需要这样做）：

((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
    @Override
    public void customize(final Connector connector)
    {
        AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
        httpProtocol.setMaxHttpHeaderSize(65536);
        httpProtocol.setCompression("on");
        httpProtocol.setCompressionMinSize(256);
        String mimeTypes = httpProtocol.getCompressableMimeTypes();
        String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
        httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
    }
});

Answer 2

server.servlet.session.cookie.http-only=false

(Property updated) （属性更新）

Reference https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html参考https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

Answer 3

At least on Spring Boot >= 1.4, it's even easier, just use the following property:至少在 Spring Boot >= 1.4 上，它更容易，只需使用以下属性：

server.servlet.session.cookie.http-only= # "HttpOnly" flag for the session cookie. configuration property.

as documented in the official documentation .如官方文档中所述。

Answer 4

Tomcat has a context attribute named useHttpOnly which checks: Tomcat 有一个名为useHttpOnly的上下文属性，它检查：

Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID?是否应该在会话 cookie 上设置 HttpOnly 标志以防止客户端脚本访问会话 ID？ Defaults to true.默认为真。

So you need to set it to false.所以你需要把它设置为false。 The configuration linked applies to non-embedded Tomcat servers.链接的配置适用于非嵌入式 Tomcat 服务器。 We need to find a way to do it with embedded Tomcat.我们需要找到一种方法来使用嵌入式 Tomcat。

Here's how you do it.这是你如何做到的。 You declare a @Bean method for adding a EmbeddedServletContainerFactory to the context.您声明了一个用于将EmbeddedServletContainerFactory添加到上下文的@Bean方法。 You configure the returned TomcatEmbeddedServletContainerFactory by specifying a TomcatContextCustomizer which configures the appropriate property.您可以通过指定配置适当属性的TomcatContextCustomizer来配置返回的TomcatEmbeddedServletContainerFactory 。

@Bean
public EmbeddedServletContainerFactory servletContainer() {
    TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
    factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
    return factory;
}

static class CustomCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        context.setUseHttpOnly(false);
    }
}

This solution works because you are using Tomcat.此解决方案有效，因为您使用的是 Tomcat。 With different Servlet containers, the solution would be different.对于不同的 Servlet 容器，解决方案会有所不同。

关闭 HttpOnly Spring 启动

问题描述

4 个解决方案

解决方案1
14 2014-06-12 15:10:01

解决方案2
8 2019-07-12 13:05:21

解决方案3
5 2016-11-18 15:09:46

解决方案4
4 已采纳 2014-03-15 20:29:26

关闭 HttpOnly Spring 启动

问题描述

4 个解决方案

解决方案1 14 2014-06-12 15:10:01

解决方案2 8 2019-07-12 13:05:21

解决方案3 5 2016-11-18 15:09:46

解决方案4 4 已采纳 2014-03-15 20:29:26

解决方案1
14 2014-06-12 15:10:01

解决方案2
8 2019-07-12 13:05:21

解决方案3
5 2016-11-18 15:09:46

解决方案4
4 已采纳 2014-03-15 20:29:26