[
https://issues.apache.org/jira/browse/KNOX-2387?focusedWorklogId=446796&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-446796
]
ASF GitHub Bot logged work on KNOX-2387:
----------------------------------------
Author: ASF GitHub Bot
Created on: 16/Jun/20 17:55
Start Date: 16/Jun/20 17:55
Worklog Time Spent: 10m
Work Description: moresandeep commented on a change in pull request #347:
URL: https://github.com/apache/knox/pull/347#discussion_r441037372
##########
File path:
gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
##########
@@ -350,26 +350,37 @@ private long getExpiry() {
private void addJWTHadoopCookie(String original, JWT token) {
LOGGER.addingJWTCookie(token.toString());
- Cookie c = new Cookie(cookieName, token.toString());
- c.setPath("/");
+ /*
+ * In order to account for google chrome changing default value
+ * of SameSite from None to Lax we need to craft Set-Cookie
+ * header to prevent issues with hadoop-jwt cookie.
+ * NOTE: this would have been easier if javax.servlet.http.Cookie supported
+ * SameSite param. Change this back to Cookie impl. after
+ * SameSite header is supported by javax.servlet.http.Cookie.
+ */
+ final StringBuilder setCookie = new StringBuilder(50);
try {
- String domain = Urls.getDomainName(original, domainSuffix);
+ setCookie.append(cookieName).append('=').append(token.toString());
+ setCookie.append("; Path=/");
+ final String domain = Urls.getDomainName(original, domainSuffix);
if (domain != null) {
- c.setDomain(domain);
+ setCookie.append("; Domain=").append(domain);
}
- c.setHttpOnly(true);
+ setCookie.append("; HttpOnly");
if (secureOnly) {
- c.setSecure(true);
+ setCookie.append("; Secure");
}
if (maxAge != -1) {
- c.setMaxAge(maxAge);
+ setCookie.append("; Max-Age=").append(maxAge);
}
- response.addCookie(c);
+ setCookie.append("; SameSite=None");
+ response.setHeader("Set-Cookie", setCookie.toString());
Review comment:
[javax.servlet.http.Cookie](https://javaee.github.io/javaee-spec/javadocs/javax/servlet/http/Cookie.html)
class does not support `SameSite` property, there is no way to add a param
hence the `Set-Header`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 446796)
Time Spent: 0.5h (was: 20m)
> KnoxSSO broken on recent Chrome browsers (version > 80)
> -------------------------------------------------------
>
> Key: KNOX-2387
> URL: https://issues.apache.org/jira/browse/KNOX-2387
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Fix For: 1.4.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Google chrome changed the default behavior of SameSite parameter in
> Set-Cookie header from None to Lax. This causes partial breakage of Knox SSO.
> Details about Chrome browser feature -
> [https://www.chromestatus.com/feature/5088147346030592]
> How it affects -
> [https://support.okta.com/help/s/article/FAQ-How-Chrome-80-Update-for-SameSite-by-default-Potentially-Impacts-Your-Okta-Environment]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
