15

I use Spring Boot 1.4.4.RELEASE in my application and my application is been deployed in AWS.

I am trying to have subdomain for each user like,

when user "test" logs in, the url will be test.XXX.com

Here XXX.com is my domain name.

For XXX.com, it works fine.

I recently bought one more domain for testing like XXX-test.com.

But, when an user logs in, I am getting the below exception.

java.lang.IllegalArgumentException: An invalid domain [.XXX-test.com] was specified for this cookie
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183)
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125)
    at org.apache.catalina.connector.Response.generateCookieString(Response.java:989)
    at org.apache.catalina.connector.Response.addSessionCookieInternal(Response.java:959)
    at org.apache.catalina.connector.Request.doGetSession(Request.java:3009)
    at org.apache.catalina.connector.Request.getSession(Request.java:2367)
    at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:896)
    at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231)
    at org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.createNewSessionIfAllowed(HttpSessionSecurityContextRepository.java:427)
    at org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext(HttpSessionSecurityContextRepository.java:364)
    at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.onResponseCommitted(SaveContextOnUpdateOrErrorResponseWrapper.java:85)
    at org.springframework.security.web.util.OnCommittedResponseWrapper.doOnResponseCommitted(OnCommittedResponseWrapper.java:245)
    at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:127)
    at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
    at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:128)
    at org.springframework.security.web.DefaultRedirectStrategy.sendRedirect(DefaultRedirectStrategy.java:57)

My Spring application.properties,

server.session.cookie.domain=.XXX-test.com
server.session.cookie.path=/

It works fine for other prod env with the below config.

server.session.cookie.domain=.XXX.com
server.session.cookie.path=/

Again, the prod config was deployed and tested few months ago with the spring boot version of 1.3.5.

Is there anything changed or anything missing here? Or, XXX-test.com is an issue?

Thanks,

user1578872
  • 7,808
  • 29
  • 108
  • 206

1 Answers1

20

According to RFC 6265 ( https://www.rfc-editor.org/rfc/rfc6265) starting with a . (dot) character may cause problems.

You could try to fallback to the LegacyCookieProcessor, see: How to change Cookie Processor to LegacyCookieProcessor in tomcat 8 for more info .

If you still have problems please inform us about your TC version.

Community
  • 1
  • 1
Maarten Naberink
  • 316
  • 2
  • 4
  • 3
    Thanks. It works. Is there any other option without the legacy cookie processor? – user1578872 Mar 10 '17 at 20:50
  • Just as a FYI, I had this problem when I had WireMock + Springboot 1.5.x and it was using the Jetty container. However I performed an upgrade to Springboot 2.1.x + Wiremock and Tomcat became the default container and this error started showing up. For me I needed Jetty so to get the same behaviour as before the upgrade I had to add the [wiremock-jre8](https://search.maven.org/artifact/com.github.tomakehurst/wiremock-jre8) dependency and exclude the embedded tomcat that comes with spring boot for my **integration-test module** (I re-iterate). Hope this helps someone in the future. – Arty Apr 07 '20 at 17:23