shiro - 如何在 Apache Shiro 中配置 SameSite Cookie 属性？

Question

我正在使用 Apache Shiro 开发基于 EJB 的网络服务来管理用户访问权限。我添加了 freshly released我的 Maven 项目的 Apache Shiro 1.5.0 版使用新的 sameSite cookie 属性。然后我将 sameSite 属性的配置添加到我的 shiro.ini 文件中:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# configure properties (like session timeout) here if desired
sessionManager.sessionIdCookieEnabled = true
sessionManager.sessionIdCookie.path = /
sessionManager.sessionIdCookie.httpOnly = true
sessionManager.sessionIdCookie.secure = ${MY_WILDFLY_SHIRO_COOKIE_SECURE}
sessionManager.sessionIdCookie.name = mycookie
sessionManager.sessionIdCookie.domain = ${MY_WILDFLY_SHIRO_COOKIE_DOMAIN}
sessionManager.sessionIdCookie.sameSite = NONE

但是，如果我尝试编译它(使用 Maven)，我会收到以下错误消息:

[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:2.0.1.Final:deploy (default-cli) on project api: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"api.war\".undertow-deployment" => "java.lang.RuntimeException: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager.  If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value.  For example, $NONE
[ERROR]     Caused by: java.lang.RuntimeException: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager.  If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value.  For example, $NONE
[ERROR]     Caused by: org.apache.shiro.config.ConfigurationException: Unable to set property 'sessionIdCookie.sameSite' with value [NONE] on object of type org.apache.shiro.web.session.mgt.DefaultWebSessionManager.  If 'NONE' is a reference to another (previously defined) object, prefix it with '$' to indicate that the referenced object should be used as the actual value.  For example, $NONE
[ERROR]     Caused by: org.apache.commons.beanutils.ConversionException: Default conversion to org.apache.shiro.web.servlet.Cookie$SameSiteOptions failed.
[ERROR]     Caused by: org.apache.commons.beanutils.ConversionException: Can't convert value '' to type class org.apache.shiro.web.servlet.Cookie$SameSiteOptions"}}}}

我尝试过的:

• 手动导入 latest version POM 文件中的 Apache BeanUtils
• 在单引号和双引号中写NONE
• 使用完全限定名称org.apache.shiro.web.servlet.Cookie.SameSiteOptions.NONE 而不是只是 NONE

如何配置 shiro.ini 文件，使 Shiro 的 session cookie 的 sameSite 属性设置为 NONE？

Answer 1

我可以重现您的错误并且我有一个修复程序。

Jira 在这里:

https://issues.apache.org/jira/browse/SHIRO-739

问候，