Turn off HttpOnly Spring boot

java spring spring-boot httponly
Nick Humrich picture Nick Humrich · Mar 15, 2014 · Viewed 20.4k times · Source

I would like to turn off HttpOnly sessions which I believe are default for Spring Boot. How would I turn off HttpOnly on spring boot?

I currently have code such as: 

@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
        session.setAttribute("foo", "bar");
        return  new MyObject();
}

This returns a response header on the HTTP call:

Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly

Note the HttpOnly flag. I would like to turn that off. How do I do so?

Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie i.e. XSS.

Also, I do not have any configuration other than default.

@ComponentScan
@EnableAutoConfiguration
public class WebApplication {

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication(WebApplication.class);
        app.run(args);
    }
}

Answer

JimB picture JimB · Jun 12, 2014

Another alternative to the accepted answer that fits into spring boot is overriding the customize method of your EmbeddedServletContainerCustomizer.

First, implement the interface:

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer

Then add an override for the customize method:

@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
    ((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
    {
        @Override
        public void customize(Context context)
        {
            context.setUseHttpOnly(false);
        }
    });
}

Incidentally, I found that the httpOnly wasn't being set at all for me .. so I had to use this method to turn httpOnly on (obviously my setting above is 'true').

You can also use this method to adjust other things in tomcat, such as turning on gzip for json and expanding the max http headersize (in the case of kerberos authentication I needed to do this):

((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
    @Override
    public void customize(final Connector connector)
    {
        AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
        httpProtocol.setMaxHttpHeaderSize(65536);
        httpProtocol.setCompression("on");
        httpProtocol.setCompressionMinSize(256);
        String mimeTypes = httpProtocol.getCompressableMimeTypes();
        String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
        httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
    }
});

Related questions

How to configure port for a Spring Boot application

How do I configure the TCP/IP port listened on by a Spring Boot application, so it does not use the default port of 8080.

Read More
Spring Boot and multiple external configuration files

I have multiple property files that I want to load from classpath. There is one default set under /src/main/resources which is part of myapp.jar. My springcontext expects files to be on the classpath. i.e. <util:…

Read More
Spring Boot: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean

I am totally new to Spring and started to do the official guides from this site: https://spring.io/guides I'd like to do this guide: https://spring.io/guides/gs/scheduling-tasks/ I get the following Exception: 2014-02-14 16:25:21.614 INFO 9032 …

Read More