I have a web project with Spring Security and I have tried to save a cookie in the method that process the authentication success. However, when I look to the browser's cookies only appears the JSESSIONID one, and the same happens when I look to request.getCookies() at the servlet that Spring redirects to.
I have tried to save the cookie in one of the application's servlets and the cookie is saved correctly, so maybe Spring Security cleans the response. Do you have any idea?
One workaround would be to save it in Session, and then get it and save the cookie on the servlet to which the login redirects. Another one would be saving the cookie with javascript like this. But I don't like these solutions. Thanks in advance
Here is the relevant code:
public class RoleBasedAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler implements
AuthenticationSuccessHandler {
...
// save a cookie with the selected language
Map<String, String[]> parameterMap = request.getParameterMap();
if (parameterMap.containsKey("language")) {
saveCookie("language", parameterMap.get("language")[0], response);
}
}
public static void saveCookie(String cookieName, String value, HttpServletResponse response) {
Cookie cookie = new Cookie(cookieName, value);
//maxAge is one month: 30*24*60*60
cookie.setMaxAge(2592000);
cookie.setDomain("projectName");
cookie.setPath("/");
response.addCookie(cookie);
}
}
<security:http auto-config="false" ...>
<security:form-login login-page="/login.do" authentication-success-handler-ref="redirectRoleStrategy" .../>
...
</security:http>
<bean id="redirectRoleStrategy" class="com.companyName.security.RoleBasedAuthenticationSuccessHandler">
<beans:property name="roleUrlMap">
<beans:map>
<beans:entry key="ROLE_ADMIN" value="/privat/application.do"/>
...
</beans:map>
</beans:property>
</bean>
In a Spring Boot application, a cookie can be set by using the Cookie class and add in server response using HttpServletResponse class, similarly, a cookie can be retrieved by using @CookieValue annotation.
You can secure a session cookie by setting an expiration, only allowing encrypted network transmission, blocking third party with the Httponly flag, and configuring where it is stored.
Spring Boot provides an easy way to read, write and remove HTTP cookies. @CookieValue annotation maps the value of the cookie to the method parameter. You should set the default value to avoid runtime exceptions when the cookie is not available. HttpServletResponse class can be used to set a new cookie in the browser.
Are you setting the cookie before or after calling super in the RoleBasedAuthenticationSuccessHandler?
super.onAuthenticationSuccess(request, response, authentication);
You must set the cookie before your call to the super, as the logic in the superclass will send a redirect and therefore prevent you from updating content of the HttpServletResponse.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With