1

Spring Boot version: 2.3.0.RELEASE

Using spring boot application as src of iframe with spring security in classpath, webflux and servlet app behaves differently.

Security config for reactive webapp:

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
                .headers().frameOptions().disable()
                .and()
                .authorizeExchange()
                .anyExchange().authenticated()
                .and()
                .formLogin()
                .and()
                .build();
    }
}

Security config for servlet webapp:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().disable()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin();
    }
}

Using tomcat server and security config as given above, user gets logged in and response is successfully sent back with 200 OK. Simliar config in webflux with netty server responds with 403 Forbidden and response as

CSRF Token has been associated to this client.

Perhaps it is related to Set-cookie with SameSite=Lax; in webflux.

Use iframe within any external domain with src set as spring boot app. Try deleting cookies if you are unable to regenerate the issue.

<iframe src="http://localhost:8080/">
</iframe>

Sample app - spring-iframe.zip

Use case: many Customer Relationship Management services integration requires app to open in their iframe, in this particular case this app is used in Salesforce integration.

Questions: Is there any way around to login in external iframe using spring webflux as dependency?

anupam contaque
  • 13
  • 4
  • Are there any errors/warnings in the browser console? Chrome and Firefox would probably note anything they're blocking and why. – OrangeDog Jul 15 '20 at 09:20
  • @OrangeDog Yeah, in case of webflux response cookie in login page has Samesite=Lax set by default. Chrome shows this warning in network panel, and after login 403 is thrown. ```This Set-Cookie was blocked because it had the "Samesite=Lax" attribute but came from a cross-site response which was not the response to a top-level navigation``` – anupam contaque Jul 15 '20 at 09:34
  • There's your answer then. You can write it up and accept it below. – OrangeDog Jul 15 '20 at 10:10
  • @OrangeDog but that doesn't solves the problem of logging in, I need a workaround to disable Samesite attribute from Spring Security session cookie. – anupam contaque Jul 15 '20 at 10:48
  • https://stackoverflow.com/a/61219592/476716 – OrangeDog Jul 15 '20 at 11:24

1 Answers1

1

CookieWebSessionIdResolver bean can be customized to use different options for session cookie. sameSite(attribute) can be used to set SameSite value as "None", "Lax" or "Strict".

@Bean
public WebSessionIdResolver webSessionIdResolver() {
    CookieWebSessionIdResolver resolver = new CookieWebSessionIdResolver();
    resolver.setCookieName("SESSION");
    resolver.addCookieInitializer((builder) -> {
        builder.path("/")
                .httpOnly(true)
                .secure(true)
                .sameSite("None");
    });
    return resolver;
}

Session configuration :

@Configuration
@EnableSpringWebSession
public class SessionConfig {

    @Bean
    public ReactiveSessionRepository<MapSession> sessionRepository() {
        return new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
    }

    @Bean
    public WebSessionIdResolver webSessionIdResolver() {
        CookieWebSessionIdResolver resolver = new CookieWebSessionIdResolver();
        resolver.setCookieName("SESSION");
        resolver.addCookieInitializer((builder) -> {
            builder.path("/")
                    .httpOnly(true)
                    .secure(true)
                    .sameSite("None");
        });
        return resolver;
    }
}

Spring session-core dependency :

<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-core</artifactId>
    <version>2.3.0.RELEASE</version>
</dependency>

Spring Session - WebFlux with Custom Cookie

global_warming
  • 833
  • 1
  • 7
  • 11