Skip to content

Adding Same Site Header to JSESSIONID Spring Security

Google chrome has introduced changes that require setting the Same-Site header. In order to achieve this, I added a custom filter as follows,

public class SameSiteFilter extends GenericFilterBean {
    private Logger LOG = LoggerFactory.getLogger(SameSiteFilter.class);

    public void doFilter(ServletRequest request,  ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse)response;
        response = addSameSiteCookieAttribute((HttpServletResponse) response);
        chain.doFilter(request, response);

    private HttpServletResponse addSameSiteCookieAttribute(HttpServletResponse response) {
        Collection<String> header = response.getHeaders(HttpHeaders.SET_COOKIE);"%s; %s", header, "SameSite=None; Secure"));
        response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=None; Secure"));

        return response;

Following is the code for Security Configuration

public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter { 
    private OnyxUserDetailsService onyxUserDetailsService;

    private CustomAuthenticationProvider customAuthenticationProvider;

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/rest/user", "/info/**/*","/rest/version/check")
                logoutSuccessHandler((new LogoutSuccessHandler() {

                    public void onLogoutSuccess(HttpServletRequest request,
                            HttpServletResponse response, Authentication authentication)
                            throws IOException, ServletException {
                })).deleteCookies("JSESSIONID", "XSRF-TOKEN")
                .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)   
                .addFilterAfter(new SameSiteFilter(), BasicAuthenticationFilter.class)          

    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {

However, when I look at the headers received, I get this

enter image description here

The filter adds the required fields in all the responses exception the one containing the JSESSIONID cookie. How do I add the headers to this cookie. I tried configuring tomcat settings, but we deploy the code as a WAR file, so that did also not work.



In order to get around this problem, I added a Filter for sifting through all the responses. Here is the code for the same,

public class SameSiteFilter implements Filter {
    private Logger LOG = LoggerFactory.getLogger(SameSiteFilter.class);

    public void init(final FilterConfig filterConfig) throws ServletException {"Same Site Filter Initializing filter :{}", this);

    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;"Same Site Filter Logging Response :{}", res.getContentType());

        Collection<String> headers = res.getHeaders(HttpHeaders.SET_COOKIE);
        boolean firstHeader = true;
        for (String header : headers) { // there can be multiple Set-Cookie attributes
            if (firstHeader) {
                res.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s",  header, "SameSite=None"));
      "Same Site Filter First Header %s; %s", header, "SameSite=None; Secure"));

                firstHeader = false;

            res.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s",  header, "SameSite=None"));
  "Same Site Filter Remaining Headers %s; %s", header, "SameSite=None; Secure"));

        chain.doFilter(req, res);

    public void destroy() {
        LOG.warn("Same Site Filter Destructing filter :{}", this);

This allows for addition of the required headers in the response containing the cookie

User contributions licensed under: CC BY-SA
6 People found this is helpful