i made spring boot webapp(i'll call this A)
i try display A's page on iframe at different site(i'll call this B)
but session is validate after redirect in B's iframe.
i use Spring Security to setting SameSite=None.
like this.
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable(); // X-Frame-Options
//http.csrf().csrfTokenRepository(csrfTokenRepository());
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
http.addFilterAfter(new TestFilter(), BasicAuthenticationFilter.class);
}
}
public class TestFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
try {
HttpServletResponse objRes = (HttpServletResponse) response;
objRes.setHeader("Set-Cookie", "Secure: SameSite=None");
chain.doFilter(request, objRes);
} catch(Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}
}
but Still not working in B's iframe.
actually, browser shows multiple Set-Cookie in response header.
B's page Use the form tag to send a post request to an iframe.
like this.
<button onclick="postFrame()">send post to iframe</button>
<form id="postForm" name="postForm" target="postFrame" method="POST" action="A's url/login">
<input type="hidden" name="value0" value="foo" />
<input type="hidden" name="value1" value="bar" />
</form>
<iframe id="postFrame" name="postFrame"></iframe>
function postFrame() {
document.okcallForm.action = "A's url/login";
document.okcallForm.submit();
}
A's controller part.
@RequestMapping("/login")
public String okcallIframeLogin(HttpServletRequest request, RedirectAttributes model) throws Exception {
//check password etc...
return "redirect:/main";
}
I want the session to be maintained when redirected from B's iframe.