Joe7
Reputation: 518
How Can I Configure the SameSite Cookie Attribute in Apache Shiro?
I'm developing an EJB-based webservice using Apache Shiro for user access management. I added the freshly released version 1.5.0 of Apache Shiro to my Maven project to make use of the new sameSite cookie attribute. Then I added the configuration of the sameSite attribute to my shiro.ini file:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# configure properties (like session timeout) here if desired
sessionManager.sessionIdCookieEnabled = true
sessionManager.sessionIdCookie.path = /
sessionManager.sessionIdCookie.httpOnly = true
sessionManager.sessionIdCookie.secure = ${MY_WILDFLY_SHIRO_COOKIE_SECURE}
sessionManager.sessionIdCookie.name = mycookie
sessionManager.sessionIdCookie.domain = ${MY_WILDFLY_SHIRO_COOKIE_DOMAIN}
sessionManager.sessionIdCookie.sameSite = NONE
However, if I try to compile this (using Maven), I'm getting the following error message:
[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:2.0.1.Final:deploy (default-cli) on project api: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"api.war\".undertow-deployment" => "java.lang.RuntimeException: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager. If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value. For example, $NONE
[ERROR] Caused by: java.lang.RuntimeException: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager. If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value. For example, $NONE
[ERROR] Caused by: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager. If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value. For example, $NONE
[ERROR] Caused by: org.apache.commons.beanutils.ConversionException: Default conversion to org.apache.shiro.web.servlet.Cookie$SameSiteOptions failed.
[ERROR] Caused by: org.apache.commons.beanutils.ConversionException: Can't convert value '' to type class org.apache.shiro.web.servlet.Cookie$SameSiteOptions"}}}}
What I have tried:
- Manually importing the latest version of Apache BeanUtils in the POM file
- Writing
NONEin single quotes and double quotes - Using the fully-qualified name
org.apache.shiro.web.servlet.Cookie.SameSiteOptions.NONEinstead of justNONE
How can I configure the shiro.ini file so that Shiro's session cookie has the sameSite attribute set to NONE?
Upvotes: 3
Views: 2647
Answers (1)
Francois Papon
Reputation: 11
I can reproduce your error and I have a fix for it.
The Jira is here:
https://issues.apache.org/jira/browse/SHIRO-739
regards,
Upvotes: 1
Related Questions
- How to set SameSite and Secure attribute to JSESSIONID cookie
- How to set same-site cookie flag in Spring Boot?
- How to enable samesite for jsessionid cookie
- How to set SameSite=None in JSESSIONID Cookie
- Spring: Unable to set SameSite cookie to None
- Setting jsessonid cookie to SameSite=Strict attribute in spring boot?
- Set SameSite for Cookie in Apex
- Setting the samesite cookie attrbute using resteasy
- Setting the SameSite Attribute on the JSESSIONID cookie using Apache config
- How to set SameSite cookie attribute using Apache configuration?