Generate warning of invalid configuration of cookies

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -89,6 +89,9 @@ public class ContainerProxyApplication {
 	private static final String PROP_SERVER_SECURE_COOKIES = "server.secure-cookies";
 	private static final Boolean SECURE_COOKIES_DEFAULT_VALUE = false;
 
+	public static Boolean secureCookiesEnabled;
+	public static String sameSiteCookiePolicy;
+
 	public static void main(String[] args) {
 		SpringApplication app = new SpringApplication(ContainerProxyApplication.class);
 
@@ -115,10 +118,16 @@ public void init() {
 			log.warn("WARNING: Using server.use-forward-headers will not work in this ShinyProxy release, you need to change your configuration to use another property. See https://shinyproxy.io/documentation/security/#forward-headers on how to change your configuration.");
 		}
 
-		String sameSiteCookie = environment.getProperty(PROP_PROXY_SAME_SITE_COOKIE, SAME_SITE_COOKIE_DEFAULT_VALUE);
-		log.debug("Setting sameSiteCookie policy to {}" , sameSiteCookie);
-		defaultCookieSerializer.setSameSite(sameSiteCookie);
-		defaultCookieSerializer.setUseSecureCookie(environment.getProperty(PROP_SERVER_SECURE_COOKIES, Boolean.class, SECURE_COOKIES_DEFAULT_VALUE));
+		sameSiteCookiePolicy = environment.getProperty(PROP_PROXY_SAME_SITE_COOKIE, SAME_SITE_COOKIE_DEFAULT_VALUE);
+		secureCookiesEnabled = environment.getProperty(PROP_SERVER_SECURE_COOKIES, Boolean.class, SECURE_COOKIES_DEFAULT_VALUE);
+
+		log.debug("Setting sameSiteCookie policy to {}" , sameSiteCookiePolicy);
+		defaultCookieSerializer.setSameSite(sameSiteCookiePolicy);
+		defaultCookieSerializer.setUseSecureCookie(secureCookiesEnabled);
+
+		if (sameSiteCookiePolicy.equalsIgnoreCase("none") && !secureCookiesEnabled) {
+			log.warn("WARNING: Invalid configuration detected: same-site-cookie policy is set to None, but secure-cookies are not enabled. Secure cookies must be enabled when using None as same-site-cookie policy ");
+		}
 	}
 
 	@Autowired(required = false)
@@ -134,13 +143,12 @@ public UndertowServletWebServerFactory servletContainer() {
 			}
 			info.addInnerHandlerChainWrapper(defaultHandler -> mappingManager.createHttpHandler(defaultHandler));
 
-			String sameSiteCookie = environment.getProperty(PROP_PROXY_SAME_SITE_COOKIE, SAME_SITE_COOKIE_DEFAULT_VALUE);
-		 	log.debug("Setting sameSiteCookie policy for session cookies to {}" , sameSiteCookie);
-		 	info.addOuterHandlerChainWrapper(defaultHandler -> new SameSiteCookieHandler(defaultHandler, sameSiteCookie, null, true, true, false));
+		 	log.debug("Setting sameSiteCookie policy for session cookies to {}" , sameSiteCookiePolicy);
+		 	info.addOuterHandlerChainWrapper(defaultHandler -> new SameSiteCookieHandler(defaultHandler, sameSiteCookiePolicy, null, true, true, false));
 
 			ServletSessionConfig sessionConfig = new ServletSessionConfig();
 			sessionConfig.setHttpOnly(true);
-			sessionConfig.setSecure(environment.getProperty(PROP_SERVER_SECURE_COOKIES, Boolean.class, SECURE_COOKIES_DEFAULT_VALUE));
+			sessionConfig.setSecure(secureCookiesEnabled);
 			info.setServletSessionConfig(sessionConfig);
 			if (sessionManagerFactory != null) {
 				info.setSessionManagerFactory(sessionManagerFactory);

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -20,9 +20,12 @@
  */
 package eu.openanalytics.containerproxy.security;
 
+import eu.openanalytics.containerproxy.ContainerProxyApplication;
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
 import eu.openanalytics.containerproxy.util.AppRecoveryFilter;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Bean;
@@ -58,6 +61,8 @@
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
+	private final Logger logger = LogManager.getLogger(getClass());
+
 	@Inject
 	private UserLogoutHandler logoutHandler;
 
@@ -99,6 +104,13 @@ public void configure(WebSecurity web) {
 		}
 	}
 
+	private void checkForIncorrectConfiguration(HttpServletRequest request) {
+		if (request.getScheme().equals("http") && ContainerProxyApplication.secureCookiesEnabled) {
+			logger.warn("WARNING: Invalid configuration detected: ShinyProxy is accessed over HTTP but secure-cookies is enabled. Secure-cookies only work when accessing ShinyProxy over HTTPS. "
+					+ "Ensure that ShinyProxy is accessed over HTTPS or disable secure-cookies");
+		}
+	}
+
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		// App Recovery Filter
@@ -112,6 +124,8 @@ protected void configure(HttpSecurity http) throws Exception {
 		    final AccessDeniedHandler defaultAccessDeniedHandler = new AccessDeniedHandlerImpl();
 			@Override
 			public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+				checkForIncorrectConfiguration(request);
+
 				if (matcher.matcher(request).isMatch() && accessDeniedException instanceof MissingCsrfTokenException) {
 					response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/login").queryParam("error", "expired").build().toUriString());
 				} else {