Configure the Domain attributes of the cookie header withing the spring or spring security

Question

Configure the Domain attributes of the cookie header withing the spring or spring security

6k Views Asked by Tito At 04 April 2025 at 22:48

How to configure the Domain attributes of the cookie withing the spring security java config. I need to restrict access of a cookie to only one particular subdomin something like

Domain=.test.example.com;

Now i know that there is a xml config looking like the sample below, however i do not jave any web.xml in my application anymore and i want to have all my configuration made trough java.

<session-config>
    <session-timeout>400</session-timeout>
    <cookie-config>
        <name>KSESSION</name>
        <path>/</path>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

In my SecurityConfig class which extends WebSecurityConfigurerAdapter i was searching for some session-config object or parameter but i can no find one i.e. i have only the sessionManagement object.

    .sessionManagement()
        .enableSessionUrlRewriting(false)

        .sessionAuthenticationStrategy(sessionControlStrategy())
        .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .sessionFixation().newSession()

        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .expiredUrl("/login?expired")

Maybe that is done trough the TomcatContextCustomizer bean i.e. i found there the parameter setUseHttpOnly and path parameters there but no setter on the domain attribute.

@Bean 
public TomcatContextCustomizer tomcatContextCustomizer() {
    System.out.println("TOMCATCONTEXTCUSTOMIZER INITILIZED");
    return new TomcatContextCustomizer() {

    @Override
    public void customize(Context context) {
        // TODO Auto-generated method stub
        context.addServletContainerInitializer(new WsSci(), null);
        context.setUseHttpOnly(true);
        context.setPath("/testBlaBlaPage");



    }
};

}

So basically my target is to have a http header like that

Set-Cookie: JSESSIONCookie: JSESSIONID=DEAC4422AB4E28A7062C08724C8BCFAA; Path=/login; Secure; Domain=.test.example.com; HttpOnly.

currently it looks like

Set-Cookie: JSESSIONCookie: JSESSIONID=DEAC4422AB4E28A7062C08724C8BCFAA; Path=/; Secure; HttpOnly

Original Q&A

There are 1 best solutions below

**Tito** · Answer 1

Tito On 04 December 2014 at 09:14

ok i found the answer to my quesiton i.e. it is the method setSessionCookieDomain() under the tomcat context. i.e. something like

context.setSessionCookieDomain(".test.example.com");

Configure the Domain attributes of the cookie header withing the spring or spring security

There are 1 best solutions below

Related Questions in SPRING

Related Questions in SPRING-SECURITY

Related Questions in SPRING-JAVA-CONFIG

Trending Questions

Popular # Hahtags

Popular Questions