From 56ea0149d0ed4ac7f86832d53d32f4af0ed3e407 Mon Sep 17 00:00:00 2001 From: "Patel, Saurabh" Date: Thu, 3 Oct 2024 11:01:19 -0400 Subject: [PATCH 1/3] makes session cookie secure, httponly and set same site attribute --- .../legend/server/shared/staticserver/Server.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java index f98024cb..a086aaab 100644 --- a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java +++ b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java @@ -20,8 +20,11 @@ import io.dropwizard.configuration.SubstitutingSourceProvider; import io.dropwizard.setup.Bootstrap; import io.dropwizard.setup.Environment; +import org.eclipse.jetty.http.HttpCookie; +import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.session.SessionHandler; +import javax.servlet.SessionCookieConfig; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; @@ -113,5 +116,14 @@ public void run(org.finos.legend.server.shared.staticserver.StaticServerConfigur sessionHandler.setSessionCookie(staticServerConfiguration.getSessionCookie()); } environment.servlets().setSessionHandler(sessionHandler); + makeSessionCookieSecure(environment.getApplicationContext().getServletContext()); + } + + private void makeSessionCookieSecure( ContextHandler.Context servletContext) + { + SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig(); + sessionCookieConfig.setSecure(true); + sessionCookieConfig.setHttpOnly(true); + servletContext.setAttribute(HttpCookie.SAME_SITE_DEFAULT_ATTRIBUTE, "STRICT"); } } From c6c2a89c8d80a4a4febf8d6630fffe4b2fe1cd33 Mon Sep 17 00:00:00 2001 From: Saurabh Patel Date: Wed, 9 Oct 2024 19:45:41 +0530 Subject: [PATCH 2/3] adds null check for session cookie config --- .../finos/legend/server/shared/staticserver/Server.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java index a086aaab..85a58cbd 100644 --- a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java +++ b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java @@ -122,8 +122,11 @@ public void run(org.finos.legend.server.shared.staticserver.StaticServerConfigur private void makeSessionCookieSecure( ContextHandler.Context servletContext) { SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig(); - sessionCookieConfig.setSecure(true); - sessionCookieConfig.setHttpOnly(true); + if(sessionCookieConfig != null) + { + sessionCookieConfig.setSecure(true); + sessionCookieConfig.setHttpOnly(true); + } servletContext.setAttribute(HttpCookie.SAME_SITE_DEFAULT_ATTRIBUTE, "STRICT"); } } From 9c6b46be2eaf93ef8ff6d25e01101fe5150e1d7c Mon Sep 17 00:00:00 2001 From: Saurabh Patel Date: Wed, 16 Oct 2024 19:42:12 +0530 Subject: [PATCH 3/3] check style fix --- .../org/finos/legend/server/shared/staticserver/Server.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java index 85a58cbd..8d772576 100644 --- a/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java +++ b/legend-shared-server/src/main/java/org/finos/legend/server/shared/staticserver/Server.java @@ -119,10 +119,10 @@ public void run(org.finos.legend.server.shared.staticserver.StaticServerConfigur makeSessionCookieSecure(environment.getApplicationContext().getServletContext()); } - private void makeSessionCookieSecure( ContextHandler.Context servletContext) + private void makeSessionCookieSecure(ContextHandler.Context servletContext) { SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig(); - if(sessionCookieConfig != null) + if (sessionCookieConfig != null) { sessionCookieConfig.setSecure(true); sessionCookieConfig.setHttpOnly(true);