-
Bug
-
Resolution: Unresolved
-
Critical
-
8.1 Update 3, 8.1 Update 4
-
None
Servlet 6.0 added support for arbitrary cookie attributes [1], however, WildFly was never updated to support this.
e.g.
A valid web.xml containing the following currently throws a parser error:
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee" version="6.0"> <session-config> <cookie-config> <attribute> <attribute-name>SameSite</attribute-name> <attribute-value>None</attribute-value> </attribute> </cookie-config> </session-config> </web-app>
I'm filing this as a critical bug since this breaks compliance with the servlet specification. Apparently, the Servlet TCK was never updated to validate compliance for this new feature [2].
[1] https://github.com/jakartaee/servlet/issues/175
[2] https://github.com/jakartaee/servlet/pull/401
To fix this, we need the following:
- A new release of jboss-metadata containing metadata/parser support
- A new release of Undertow, containing updates to io.undertow.servlet.api.ServletSessionConfig to support arbitrary cookie attributes.
Changes the Undertow subsystem model/schema to support for arbitrary attributes within /undertow=subsystem/servlet-container=*/setting=session-cookie and affinity-cookie- Changes to UndertowDeploymentInfoService to apply default cookie attributes from subsystem model and metadata to the ServletSessionConfig of the DeploymentInfo.
- clones
-
-
- Pull Request Sent
-
- is blocked by
-
UNDERTOW-2580 Support SameSite and custom cookie attributes
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- is incorporated by
-
JBEAP-31639 (8.1.z) Upgrade Undertow from 2.3.20.SP4-redhat-00001 to 2.3.23.SP1-redhat-00001
-
- New
-
- split to
-
-
- Open
-
