From 0a6b1a51bfc8ea57e4a999328b78872791c9ec77 Mon Sep 17 00:00:00 2001 From: Enrico Vianello Date: Wed, 27 Nov 2024 15:23:45 +0100 Subject: [PATCH] Prevent the issue of broken SAML login flow --- compose/custom-nginx/iam.conf | 2 ++ .../src/main/java/it/infn/mw/iam/config/IamConfig.java | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/compose/custom-nginx/iam.conf b/compose/custom-nginx/iam.conf index 86509e0a5..f8dade3c1 100644 --- a/compose/custom-nginx/iam.conf +++ b/compose/custom-nginx/iam.conf @@ -38,6 +38,8 @@ server { proxy_set_header X-SSL-Client-Verify $ssl_client_verify; proxy_set_header X-SSL-Protocol $ssl_protocol; proxy_set_header X-SSL-Server-Name $ssl_server_name; + + proxy_cookie_flags ~ secure samesite=none; } location /iam-test-client { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java index 7aafae459..724b90615 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java @@ -49,6 +49,7 @@ import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; import org.springframework.security.oauth2.provider.token.TokenEnhancer; +import org.springframework.session.web.http.DefaultCookieSerializer; import com.google.common.collect.Maps; @@ -309,8 +310,15 @@ UsernameValidator usernameRegExpValidator() { } @Bean(destroyMethod = "shutdown") - public ScheduledExecutorService taskScheduler() { + ScheduledExecutorService taskScheduler() { return Executors.newSingleThreadScheduledExecutor(); } + @Bean + DefaultCookieSerializer defaultCookieSerializer() { + DefaultCookieSerializer cs = new DefaultCookieSerializer(); + cs.setSameSite(null); + return cs; + } + }