老鬼的博客 来都来啦,那就随便看看吧~
springboot之tomcat容器配置http-only和secure
发布于: 2023-09-13 更新于: 2023-09-13 分类于:  阅读次数: 

一:介绍

1
2
secure属性是防止信息在传递的过程中被监听捕获后信息泄漏,
HttpOnly属性的目的是防止程序获取cookie后进行攻击

二:配置代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

package com.tohours.bdboot.config;

import java.io.IOException;

import javax.annotation.Resource;

import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.tohours.bdboot.common.constants.miniapp.MiniAppConstants;
import com.tohours.bdboot.common.constants.sys.SysConstants;
import com.tohours.bdboot.common.constants.wechat.WxConstants;
import com.tohours.bdboot.common.interceptor.AdminInterceptor;
import com.tohours.bdboot.common.interceptor.HttpBasicAuthInterceptor;
import com.tohours.bdboot.common.interceptor.MiniAppInterceptor;
import com.tohours.bdboot.common.interceptor.SysInterceptor;
import com.tohours.bdboot.common.interceptor.WxInterceptor;

/**
 * @desc web的配置
 * @author RenJie
 * @date 2023-08-03
 *
 */
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {

	/**
	 * 设置Cookie的SameSite
	 */
	@Bean
	public TomcatContextCustomizer sameSiteCookiesConfig() {
		return context -> {
			final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
			cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
			context.setCookieProcessor(cookieProcessor);
		};
	}

	/**
	 * @desc 设置secure=true
	 * @param secure
	 * @return
	 */
	@Bean
	public ServletContextInitializer servletContextInitializer(
			@Value("${server.session.cookie.secure}") boolean secure) {
		return new ServletContextInitializer() {
			@Override
			public void onStartup(ServletContext servletContext) throws ServletException {
				servletContext.getSessionCookieConfig().setSecure(secure);
			}
		};
	}

}

*************感谢您的阅读*************