Fix #25757: ensure same-site-cookie is set in all cases

The property must be set in a different way when not using Redis and
when using Redis for Session Persistence. In the first case the native
method on Undertow is used, in the second case the
DefaultCookieSerializer of Spring is used.

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -21,9 +21,9 @@
 package eu.openanalytics.containerproxy;
 
 import com.fasterxml.jackson.datatype.jsr353.JSR353Module;
-import eu.openanalytics.containerproxy.service.AppRecoveryService;
 import eu.openanalytics.containerproxy.util.ProxyMappingManager;
 import io.undertow.Handlers;
+import io.undertow.server.handlers.SameSiteCookieHandler;
 import io.undertow.servlet.api.ServletSessionConfig;
 import io.undertow.servlet.api.SessionManagerFactory;
 import org.apache.logging.log4j.LogManager;
@@ -76,8 +76,8 @@ public class ContainerProxyApplication {
 
 	private final Logger log = LogManager.getLogger(getClass());
 
-	@Inject
-	private AppRecoveryService appRecoveryService;
+	private static final String PROP_PROXY_SAME_SITE_COOKIE = "proxy.same-site-cookie";
+	private static final String SAME_SITE_COOKIE_DEFAULT_VALUE = "Lax";
 
 	public static void main(String[] args) {
 		SpringApplication app = new SpringApplication(ContainerProxyApplication.class);
@@ -105,7 +105,7 @@ public void init() {
 			log.warn("WARNING: Using server.use-forward-headers will not work in this ShinyProxy release, you need to change your configuration to use another property. See https://shinyproxy.io/documentation/security/#forward-headers on how to change your configuration.");
 		}
 
-		String sameSiteCookie = environment.getProperty("proxy.same-site-cookie", "Lax");
+		String sameSiteCookie = environment.getProperty(PROP_PROXY_SAME_SITE_COOKIE, SAME_SITE_COOKIE_DEFAULT_VALUE);
 		log.debug("Setting sameSiteCookie policy to {}" , sameSiteCookie);
 		defaultCookieSerializer.setSameSite(sameSiteCookie);
 	}
@@ -121,9 +121,12 @@ public UndertowServletWebServerFactory servletContainer() {
 			if (Boolean.valueOf(environment.getProperty("logging.requestdump", "false"))) {
 				info.addOuterHandlerChainWrapper(defaultHandler -> Handlers.requestDump(defaultHandler));
 			}
-			info.addInnerHandlerChainWrapper(defaultHandler -> {
-				return mappingManager.createHttpHandler(defaultHandler);
-			});
+			info.addInnerHandlerChainWrapper(defaultHandler -> mappingManager.createHttpHandler(defaultHandler));
+
+			String sameSiteCookie = environment.getProperty(PROP_PROXY_SAME_SITE_COOKIE, SAME_SITE_COOKIE_DEFAULT_VALUE);
+		 	log.debug("Setting sameSiteCookie policy for session cookies to {}" , sameSiteCookie);
+		   	info.addOuterHandlerChainWrapper(defaultHandler -> new SameSiteCookieHandler(defaultHandler, sameSiteCookie, null, true, true, true));
+
 			ServletSessionConfig sessionConfig = new ServletSessionConfig();
 			sessionConfig.setHttpOnly(true);
 			sessionConfig.setSecure(Boolean.valueOf(environment.getProperty("server.secureCookies", "false")));

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -28,7 +28,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
-import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -42,7 +41,6 @@
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;