search

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
https://eclipse.dev/jetty
Other
3.83k stars 1.91k forks source link

Unable to Add SameSite Cookie Attribute Value in Jetty 12 EE8 environment with Java 17 #12241

Open shrinivas-rudrawar opened 1 week ago

shrinivas-rudrawar commented 1 week ago

Jetty Version : 12

Jetty Environment : ee8

Java Version : 17

Question : Unable to Add SameSite Cookie Attribute Value in Jetty 12 EE8 environment with Java 17

Our application was able to configure the SameSite cookie attribute value through web.xml when using Jetty 9:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <comment>__SAME_SITE_STRICT__</comment>
    </cookie-config>
</session-config>

However, after migrating to Jetty 12, using EE8 environment this configuration no longer works through web.xml. It appears that this method of configuration has been removed in Jetty 12. In jetty documentation does not found valid alternative for this setup.

I attempted to set the SameSite value using SessionHandler in jetty.xml, but was unable to pass a String value to the setSameSite method. I tried the following configuration:

<Set name="handler">
    <New id="SessionHandler" class="org.eclipse.jetty.session.SessionHandler">
        <Set name="sameSite">Lax</Set>
    </New>
</Set>

This resulted in the following error: java.lang.NoSuchMethodException: class org.eclipse.jetty.session.SessionHandler.setSameSite(class java.lang.String). Found setters for org.eclipse.jetty.http.HttpCookie$SameSite

Our application uses the following setup: Java 17 Jetty 12 as the server Using EE8 environment Servlet API version 2.5

Since our application relies on legacy code, we cannot upgrade to a newer version of the Servlet API.

janbartel commented 1 week ago

My answer is still the same as per the jetty mailing list, which I'm reproducing here for anyone else following:

The class org.eclipse.jetty.session.SessionHandler is only intended for non-servlet api code, but you say you have a an old servlet api 2.5 webapp that you want to deploy. You should be using one of the ee modules. The servlet api is backwardly compatible, but the environment with the most similarity - ie retains the javax.servlet package names - are the ee8 modules, which would lead you to use the org.eclipse.jetty.ee8.servlet.SessionHandler to configure things like SameSite.

If you are seeing a ClassNotFoundException as per your last email, then you simply don't have the ee8 jars on your classpath. Have a look at the programming migration guide: https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html

Also, as per Simone's response to you on the mailing list, commercial timescale support is available from Webtide at www.webtide.com

shrinivas-rudrawar commented 1 week ago

Thanks Jan Bartel for the reply,

I have identified the SessionHandler class in the following packages in Jetty 12:

org.eclipse.jetty.session.SessionHandler org.eclipse.jetty.ee8.nested.SessionHandler org.eclipse.jetty.ee9.nested.SessionHandler org.eclipse.jetty.ee10.servlet.SessionHandler

To obtain the org/eclipse/jetty/session/SessionHandler, I have added the jetty-session-12.0.8.jar to my classpath. Additionally, to test the org/eclipse/jetty/ee8/nested/SessionHandler, I have included the jetty-ee8-nested-12.0.8.jar in my classpath.

Below is the content of my jetty.xml file:

<Set name="handler">
    <New id="SessionHandler" class="org.eclipse.jetty.ee8.nested.SessionHandler">
        <Set name="sameSite">Lax</Set>
    </New>
</Set>

After adding these JARs to the classpath, I encounter a NoSuchMethodException. This is because the value being passed to the setSameSite Method is a String, and no method exists that accepts a String argument.

sbordet commented 1 week ago

You can just convert the string to the correspondent enum constant:

<New id="SessionHandler" class="org.eclipse.jetty.ee8.nested.SessionHandler">
  <Set name="sameSite">
    <Call class="org.eclipse.jetty.http.HttpCookie$SameSite" name="from">
      <Arg>Lax</Arg>
    </Call>
  </Set>
</New>

I did not actually try, but you get the idea -- it's just Java code in XML format.

joakime commented 1 week ago

@sbordet the original WEB-INF/web.xml configuration should work when the Classloader is setup properly as well.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <comment>__SAME_SITE_STRICT__</comment>
    </cookie-config>
</session-config>

That is supported on ee8 / ee9 and should work as-is. It is that the broken classloader setup prevented even reaching that point to even evaluate that configuration.

janbartel commented 1 week ago

@joakime hhmmm, looks like supporting same-site via comment might be broken in ee8/9. Let me look into it further. For now, the canonical way to set it as per @sbordet suggestion:

<New id="SessionHandler" class="org.eclipse.jetty.ee8.nested.SessionHandler">
  <Set name="sameSite">
    <Call class="org.eclipse.jetty.http.HttpCookie$SameSite" name="from">
      <Arg>Lax</Arg>
    </Call>
  </Set>
</New>