Java 关闭 HttpOnly Spring 启动
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22428233/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Turn off HttpOnly Spring boot
提问by Nick Humrich
I would like to turn off HttpOnly sessions which I believe are default for Spring Boot. How would I turn off HttpOnly on spring boot?
我想关闭 HttpOnly 会话,我认为这是 Spring Boot 的默认会话。我如何在春季启动时关闭 HttpOnly?
I currently have code such as:
我目前有代码,例如:
@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
session.setAttribute("foo", "bar");
return new MyObject();
}
This returns a response header on the HTTP call:
这将返回 HTTP 调用的响应标头:
Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly
Note the HttpOnly flag. I would like to turn that off. How do I do so?
请注意 HttpOnly 标志。我想关闭它。我该怎么做?
Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie i.e. XSS.
旁注:是的,我知道 httpOnly 是一项安全功能,关闭它可以让 javascript 访问我的 cookie,即 XSS。
Also, I do not have any configuration other than default.
另外,除了默认配置之外,我没有任何配置。
@ComponentScan
@EnableAutoConfiguration
public class WebApplication {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(WebApplication.class);
app.run(args);
}
}
采纳答案by Sotirios Delimanolis
Tomcat has a context attribute named useHttpOnlywhich checks:
Tomcat 有一个名为useHttpOnly的上下文属性,用于检查:
Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
是否应该在会话 cookie 上设置 HttpOnly 标志以防止客户端脚本访问会话 ID?默认为真。
So you need to set it to false. The configuration linked applies to non-embedded Tomcat servers. We need to find a way to do it with embedded Tomcat.
所以你需要把它设置为false。链接的配置适用于非嵌入式 Tomcat 服务器。我们需要找到一种方法来使用嵌入式 Tomcat。
Here's how you do it. You declare a @Beanmethod for adding a EmbeddedServletContainerFactoryto the context. You configure the returned TomcatEmbeddedServletContainerFactoryby specifying a TomcatContextCustomizerwhich configures the appropriate property.
这是你如何做到的。您声明了一个@Bean将 a 添加EmbeddedServletContainerFactory到上下文的方法。您可以TomcatEmbeddedServletContainerFactory通过指定TomcatContextCustomizer配置适当属性的来配置返回。
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
return factory;
}
static class CustomCustomizer implements TomcatContextCustomizer {
@Override
public void customize(Context context) {
context.setUseHttpOnly(false);
}
}
This solution works because you are using Tomcat. With different Servlet containers, the solution would be different.
此解决方案有效,因为您使用的是 Tomcat。对于不同的 Servlet 容器,解决方案会有所不同。
回答by JimB
Another alternative to the accepted answer that fits into spring boot is overriding the customize method of your EmbeddedServletContainerCustomizer.
适合 spring boot 的已接受答案的另一种替代方法是覆盖EmbeddedServletContainerCustomizer.
First, implement the interface:
首先实现接口:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer
Then add an override for the customize method:
然后为自定义方法添加一个覆盖:
@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
{
@Override
public void customize(Context context)
{
context.setUseHttpOnly(false);
}
});
}
Incidentally, I found that the httpOnly wasn't being set at all for me .. so I had to use this method to turn httpOnly on (obviously my setting above is 'true').
顺便说一句,我发现根本没有为我设置 httpOnly .. 所以我不得不使用这种方法打开 httpOnly (显然我上面的设置是“true”)。
You can also use this method to adjust other things in tomcat, such as turning on gzip for json and expanding the max http headersize (in the case of kerberos authentication I needed to do this):
你也可以用这个方法来调整tomcat中的其他东西,比如为json开启gzip和扩展最大http headersize(在kerberos身份验证的情况下我需要这样做):
((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
@Override
public void customize(final Connector connector)
{
AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
httpProtocol.setMaxHttpHeaderSize(65536);
httpProtocol.setCompression("on");
httpProtocol.setCompressionMinSize(256);
String mimeTypes = httpProtocol.getCompressableMimeTypes();
String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
}
});
回答by Enrico M. Crisostomo
At least on Spring Boot >= 1.4, it's even easier, just use the following property:
至少在 Spring Boot >= 1.4 上,它更容易,只需使用以下属性:
server.servlet.session.cookie.http-only= # "HttpOnly" flag for the session cookie. configuration property.
as documented in the official documentation.
如官方文档中所述。
回答by user2082512
server.servlet.session.cookie.http-only=false
(Property updated)
(属性更新)
Reference https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
参考https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
