openam-jp · ogis-osada · Dec 17, 2020 · Jan 23, 2020 · Jan 23, 2020 · Jan 23, 2020
diff --git a/...adaptive/src/main/java/org/forgerock/openam/authentication/modules/adaptive/Adaptive.java b/...adaptive/src/main/java/org/forgerock/openam/authentication/modules/adaptive/Adaptive.java
@@ -22,6 +22,7 @@
  * "Portions Copyrighted [year] [name of copyright owner]"
  *
  * Portions Copyrighted 2013-2016 Nomura Research Institute, Ltd.
+ * Portions Copyrighted 2020 Open Source Solution Technology Corporation
  */
 
 package org.forgerock.openam.authentication.modules.adaptive;
@@ -1054,19 +1055,19 @@ public void onLoginSuccess(Map requestParamsMap, HttpServletRequest request,
                 String value = m.get("LOGINVALUE");
                 String name = m.get("LOGINNAME");
 
-                addCookieToResponse(response, cookieDomains, name, value, autoLoginExpire);
+                addCookieToResponse(request, response, cookieDomains, name, value, autoLoginExpire);
             }
             if (m.containsKey("COOKIENAME")) {
                 String name = m.get("COOKIENAME");
                 String value = m.get("COOKIEVALUE");
 
-                addCookieToResponse(response, cookieDomains, name, value, autoLoginExpire);
+                addCookieToResponse(request, response, cookieDomains, name, value, autoLoginExpire);
             }
             if (m.containsKey("DEVICENAME")) {
                 String name = m.get("DEVICENAME");
                 String value = m.get("DEVICEVALUE");
 
-                addCookieToResponse(response, cookieDomains, name, value, autoLoginExpire);
+                addCookieToResponse(request, response, cookieDomains, name, value, autoLoginExpire);
             }
         } catch (Exception e) {
             if (debug.messageEnabled()) {
@@ -1075,10 +1076,10 @@ public void onLoginSuccess(Map requestParamsMap, HttpServletRequest request,
         }
     }
 
-    private void addCookieToResponse(HttpServletResponse response, Set<String> cookieDomains, String name,
-            String value, int expire) {
+    private void addCookieToResponse(HttpServletRequest request, HttpServletResponse response,
+            Set<String> cookieDomains, String name, String value, int expire) {
         for (String domain : cookieDomains) {
-            CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(name, value, expire, "/", domain));
+            CookieUtils.addCookieToResponse(request, response, CookieUtils.newCookie(name, value, expire, "/", domain));
         }
     }
 

diff --git a/...m-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuth.java b/...m-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuth.java
@@ -23,7 +23,7 @@
  * "Portions Copyrighted [year] [name of copyright owner]"
  *
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
- * Portions Copyrighted 2019 Open Source Solution Technology Corporation
+ * Portions Copyrighted 2019-2020 Open Source Solution Technology Corporation
  * Portions Copyrighted 2020 i7a7467
  */
 package org.forgerock.openam.authentication.modules.oauth2;
@@ -227,14 +227,14 @@ public int process(Callback[] callbacks, int state) throws LoginException {
                 // parameters in the query. OAuth2 requires an identical URL 
                 // when retrieving the token
                 for (String domain : domains) {
-                    CookieUtils.addCookieToResponse(response,
+                    CookieUtils.addCookieToResponse(request, response,
                             CookieUtils.newCookie(COOKIE_PROXY_URL, proxyURL, "/", domain));
-                    CookieUtils.addCookieToResponse(response,
+                    CookieUtils.addCookieToResponse(request, response,
                             CookieUtils.newCookie(COOKIE_ORIG_URL, originalUrl.toString(), "/", domain));
-                    CookieUtils.addCookieToResponse(response,
+                    CookieUtils.addCookieToResponse(request, response,
                             CookieUtils.newCookie(NONCE_TOKEN_ID, csrfStateTokenId, "/", domain));
                     if (ProviderLogoutURL != null && !ProviderLogoutURL.isEmpty()) {
-                        CookieUtils.addCookieToResponse(response,
+                        CookieUtils.addCookieToResponse(request, response,
                                 CookieUtils.newCookie(COOKIE_LOGOUT_URL, ProviderLogoutURL, "/", domain));
                     }
                 }

diff --git a/...h-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuthProxy.java b/...h-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuthProxy.java
@@ -22,6 +22,7 @@
  * your own identifying information:
  * "Portions Copyrighted [year] [name of copyright owner]"
  *
+ * Portions Copyrighted 2020 Open Source Solution Technology Corporation
  */
 package org.forgerock.openam.authentication.modules.oauth2;
 
@@ -133,7 +134,7 @@ public static void continueAuthentication(HttpServletRequest req, HttpServletRes
         OAuthUtil.debugMessage("OAuthProxy.toPostForm: removing cookie " + COOKIE_ORIG_URL);
 
         for (String cookieDomain : AuthClientUtils.getCookieDomainsForRequest(req)) {
-            CookieUtils.addCookieToResponse(res, CookieUtils.newCookie(COOKIE_ORIG_URL, "", 0, "/", cookieDomain));
+            CookieUtils.addCookieToResponse(req, res, CookieUtils.newCookie(COOKIE_ORIG_URL, "", 0, "/", cookieDomain));
         }
         out.println(html.toString());
     }

diff --git a/...nam-auth-saml2/src/main/java/org/forgerock/openam/authentication/modules/saml2/SAML2.java b/...nam-auth-saml2/src/main/java/org/forgerock/openam/authentication/modules/saml2/SAML2.java
@@ -12,7 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
- * Portions copyright 2019 Open Source Solution Technology Corporation
+ * Portions copyright 2019-2020 Open Source Solution Technology Corporation
  */
 package org.forgerock.openam.authentication.modules.saml2;
 
@@ -444,7 +444,7 @@ private void setCookiesForRedirects(final HttpServletRequest request, final Http
 
         // Set the return URL Cookie
         for (String domain : domains) {
-            CookieUtils.addCookieToResponse(response,
+            CookieUtils.addCookieToResponse(request, response,
                     CookieUtils.newCookie(Constants.AM_LOCATION_COOKIE, originalUrl.toString(), "/", domain));
         }
     }
@@ -457,7 +457,7 @@ private void removeCookiesForRedirects(final HttpServletRequest request, final H
 
         // Set the return URL Cookie
         for (String domain : domains) {
-            CookieUtils.addCookieToResponse(response,
+            CookieUtils.addCookieToResponse(request, response,
                     CookieUtils.newCookie(Constants.AM_LOCATION_COOKIE, "", 0, "/", domain));
         }
     }

diff --git a/openam-core-rest/src/main/java/org/forgerock/openam/core/rest/server/ServerInfoResource.java b/openam-core-rest/src/main/java/org/forgerock/openam/core/rest/server/ServerInfoResource.java
@@ -12,7 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2013-2016 ForgeRock AS.
- * Portions copyright 2019 Open Source Solution Technology Corporation
+ * Portions copyright 2019-2020 Open Source Solution Technology Corporation
  */
 package org.forgerock.openam.core.rest.server;
 
@@ -35,6 +35,9 @@
 import com.sun.identity.sm.SMSException;
 import com.sun.identity.sm.ServiceConfig;
 import com.sun.identity.sm.ServiceConfigManager;
+
+import jp.co.osstech.openam.shared.cookie.SameSite;
+
 import org.forgerock.json.JsonValue;
 import org.forgerock.json.resource.ActionRequest;
 import org.forgerock.json.resource.ActionResponse;
@@ -58,15 +61,19 @@
 import org.forgerock.openam.services.RestSecurity;
 import org.forgerock.openam.services.RestSecurityProvider;
 import org.forgerock.openam.sm.config.ConsoleConfigHandler;
+import org.forgerock.openam.utils.CollectionUtils;
 import org.forgerock.openam.utils.StringUtils;
+import org.forgerock.services.context.AttributesContext;
 import org.forgerock.services.context.Context;
 import org.forgerock.util.promise.Promise;
 
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 
 import java.security.AccessController;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -94,6 +101,7 @@ public class ServerInfoResource extends RealmAwareResource {
     private final static String ALL_SERVER_INFO = "*";
     public static final String VALIDATE_GOTO_ACTION_ID = "validateGoto";
     private final Map<String, ActionHandler> actionHandlers;
+    private final static String[] xuiCookies = {CookieUtils.getAmCookieName(), "authId"};
 
     @Inject
     public ServerInfoResource(@Named("frRest") Debug debug, ConsoleConfigHandler configHandler, 
@@ -175,6 +183,15 @@ private Promise<ResourceResponse, ResourceException> getAllServerInfo(Context co
             result.put("realm", realm);
             result.put("xuiUserSessionValidationEnabled", SystemProperties.getAsBoolean(Constants.XUI_USER_SESSION_VALIDATION_ENABLED, true));
 
+
+            AttributesContext requestContext = context.asContext(AttributesContext.class);
+            Map<String, Object> requestAttributes = requestContext.getAttributes();
+            final HttpServletRequest httpServletRequest = (HttpServletRequest) requestAttributes.get(HttpServletRequest.class.getName());
+            Map<String, String> cookieSameSiteMap = getSameSiteMap(httpServletRequest);
+            if (CollectionUtils.isNotEmpty(cookieSameSiteMap)) {
+                result.put("cookieSamesiteMap", cookieSameSiteMap);
+            }
+
             if (debug.messageEnabled()) {
                 debug.message("ServerInfoResource.getAllServerInfo ::" +
                         " Added resource to response: " + ALL_SERVER_INFO);
@@ -189,6 +206,25 @@ private Promise<ResourceResponse, ResourceException> getAllServerInfo(Context co
         }
     }
 
+    /**
+     * Get SameSite map for XUI.
+     *
+     * @param request The HttpServletRequest object.
+     * @return SameSite map.
+     */
+    private Map<String, String> getSameSiteMap(HttpServletRequest request) {
+        Map<String, String> map = new HashMap<String, String>();
+        if (!SameSite.isSupportedClient(request)) {
+            return map;
+        }
+        for (String cookieName : xuiCookies) {
+            SameSite samesite = CookieUtils.getSameSite(cookieName);
+            if (samesite != null) {
+                map.put(cookieName, samesite.getValue());
+            }
+        }
+        return map;
+    }
 
     private String getJsLocale(Locale locale) {
         String jsLocale = locale.getLanguage();

diff --git a/openam-core/src/main/java/com/sun/identity/authentication/client/AuthClientUtils.java b/openam-core/src/main/java/com/sun/identity/authentication/client/AuthClientUtils.java
@@ -25,7 +25,7 @@
  * $Id: AuthClientUtils.java,v 1.40 2010/01/22 03:31:01 222713 Exp $
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
- * Portions Copyrighted 2019 Open Source Solution Technology Corporation
+ * Portions Copyrighted 2019-2020 Open Source Solution Technology Corporation
  */
 package com.sun.identity.authentication.client;
 
@@ -554,10 +554,10 @@ public static void setlbCookie(HttpServletRequest request,
                 for (Iterator it = domains.iterator(); it.hasNext(); ) {
                     String domain = (String)it.next();
                     Cookie cookie = createlbCookie(domain);
-                    CookieUtils.addCookieToResponse(response, cookie);
+                    CookieUtils.addCookieToResponse(request, response, cookie);
                 }
             } else {
-                CookieUtils.addCookieToResponse(response, createlbCookie(null));
+                CookieUtils.addCookieToResponse(request, response, createlbCookie(null));
             }
         }
     }
@@ -2814,10 +2814,10 @@ public static void setServerCookie(Cookie aCookie,
                     String domain = (String)it.next();
                     Cookie cookie = createCookie(cookieName, cookieValue,
                         domain);
-                    CookieUtils.addCookieToResponse(response, cookie);
+                    CookieUtils.addCookieToResponse(request, response, cookie);
                 }
             } else {
-                CookieUtils.addCookieToResponse(response,
+                CookieUtils.addCookieToResponse(request, response,
                         createCookie(cookieName,cookieValue,null));
             }
         }
@@ -2843,10 +2843,10 @@ public static void setRedirectBackServerCookie(String cookieName,
                     String domain = (String)it.next();
                     Cookie cookie = createCookie(cookieName, cookieValue,
                         domain);
-                    CookieUtils.addCookieToResponse(response, cookie);
+                    CookieUtils.addCookieToResponse(request, response, cookie);
                 }
             } else {
-                CookieUtils.addCookieToResponse(response,
+                CookieUtils.addCookieToResponse(request, response,
                         createCookie(cookieName,cookieValue,null));
             }
         }
@@ -3022,7 +3022,7 @@ public static String getServiceURI() {
         }
     }
 
-    public static void setHostUrlCookie(HttpServletResponse response) {
+    public static void setHostUrlCookie(HttpServletRequest request, HttpServletResponse response) {
         if (isSessionHijackingEnabled) {
             String hostUrlCookieValue = null;
             try {
@@ -3060,7 +3060,7 @@ public static void setHostUrlCookie(HttpServletResponse response) {
             try {
                 Cookie cookie = createCookie(hostUrlCookieName,
                 hostUrlCookieValue, hostUrlCookieDomain);
-                CookieUtils.addCookieToResponse(response, cookie);
+                CookieUtils.addCookieToResponse(request, response, cookie);
             } catch (Exception e) {
                 utilDebug.message("AuthClientUtils.setHostUrlCookie:", e);
             }

diff --git a/openam-core/src/main/java/com/sun/identity/authentication/service/AuthUtils.java b/openam-core/src/main/java/com/sun/identity/authentication/service/AuthUtils.java
@@ -25,6 +25,7 @@
  * $Id: AuthUtils.java,v 1.33 2009/12/15 16:39:47 qcheng Exp $
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
+ * Portions Copyrighted 2020 Open Source Solution Technology Corporation
  */
 package com.sun.identity.authentication.service;
 
@@ -744,10 +745,10 @@ public static void setlbCookie(AuthContextLocal authContext,
                 for (Iterator it = domains.iterator(); it.hasNext(); ) {
                     String domain = (String)it.next();
                     Cookie cookie = createlbCookie(authContext, domain, false);
-                    CookieUtils.addCookieToResponse(response, cookie);
+                    CookieUtils.addCookieToResponse(request, response, cookie);
                 }
             } else {
-                CookieUtils.addCookieToResponse(response, 
+                CookieUtils.addCookieToResponse(request, response, 
                         createlbCookie(authContext, null, false));
             }
         }

diff --git a/openam-core/src/main/java/com/sun/identity/authentication/spi/ReplayPasswd.java b/openam-core/src/main/java/com/sun/identity/authentication/spi/ReplayPasswd.java
@@ -25,6 +25,7 @@
  * $Id: ReplayPasswd.java,v 1.6 2009/11/04 22:50:35 manish_rustagi Exp $
  *
  * Portions Copyrighted 2011-2016 ForgeRock AS.
+ * Portions Copyrighted 2020 Open Source Solution Technology Corporation
  */
 package com.sun.identity.authentication.spi;
 
@@ -147,7 +148,7 @@ public void onLoginSuccess(Map requestParamsMap,
                 Cookie owaAuthCookie;
                 for (String domain : AuthUtils.getCookieDomainsForRequest(request)) {
                     owaAuthCookie = CookieUtils.newCookie(OWA_AUTH_COOKIE, OWA_AUTH_COOKIE_VALUE, "/", domain);
-                    CookieUtils.addCookieToResponse(response, owaAuthCookie);
+                    CookieUtils.addCookieToResponse(request, response, owaAuthCookie);
                 }
             }
 
@@ -249,4 +250,4 @@ private String encryptPassword(String userpasswd) throws NoSuchAlgorithmExceptio
         byte[] ciphertext = cipher.doFinal(data);
         return Base64.encode(ciphertext);
     }
-}
+}
diff --git a/openam-core/src/main/resources/amConsole.properties b/openam-core/src/main/resources/amConsole.properties
@@ -25,7 +25,7 @@
 # $Id: amConsole.properties,v 1.170 2010/01/08 20:47:17 babysunil Exp $
 #
 # Portions Copyrighted 2011-2016 ForgeRock AS.
-# Portions Copyrighted 2012-2019 Open Source Solution Technology Corporation
+# Portions Copyrighted 2012-2020 Open Source Solution Technology Corporation
 # Portions Copyrighted 2013-2015 Nomura Research Institute, Ltd.
 
 webconsole.title=OpenAM
@@ -1340,6 +1340,15 @@ amconfig.help.com.iplanet.am.cookie.secure=Specifies whether to set cookie in a
 amconfig.com.iplanet.am.cookie.encode=Encode Cookie Value
 amconfig.help.com.iplanet.am.cookie.encode=Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)
 
+amconfig.jp.openam.cookie.samesite.default=Default SameSite value
+amconfig.jp.openam.cookie.samesite.default.notset=Not Set
+amconfig.jp.openam.cookie.samesite.default.none=None
+amconfig.jp.openam.cookie.samesite.default.lax=Lax
+amconfig.jp.openam.cookie.samesite.default.strict=Strict
+amconfig.help.jp.openam.cookie.samesite.default=Specify the default value of cookie SameSite attribute.
+amconfig.jp.openam.cookie.samesite.setting.list=SameSite settings for each cookie
+amconfig.help.jp.openam.cookie.samesite.setting.list=Set the SameSite attribute for each cookie. Specify in the format of <code>Cookie name = SameSite attribute value</code>. When specifying for multiple cookies, separate them with commas.
+
 amconfig.com.sun.identity.saml.xmlsig.keystore=Keystore File
 amconfig.help.com.sun.identity.saml.xmlsig.keystore=Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)
 amconfig.com.sun.identity.saml.xmlsig.storetype=Keystore Type

diff --git a/openam-core/src/main/resources/ja_JP/amConsole_ja.properties b/openam-core/src/main/resources/ja_JP/amConsole_ja.properties
@@ -25,7 +25,7 @@
 # $Id: amConsole_ja.properties,v 1.15 2009/12/26 03:51:45 cbasha Exp $
 #
 # Portions Copyrighted 2011-2016 ForgeRock AS.
-# Portions Copyrighted 2012-2019 Open Source Solution Technology Corporation
+# Portions Copyrighted 2012-2020 Open Source Solution Technology Corporation
 # Portions Copyrighted 2013-2014 Nomura Research Institute, Ltd
 #
 
@@ -1256,6 +1256,15 @@ amconfig.help.com.iplanet.am.cookie.secure=\u3053\u308c\u306b\u3088\u308a\u3001C
 amconfig.com.iplanet.am.cookie.encode=Cookie \u5024\u306e\u30a8\u30f3\u30b3\u30fc\u30c9
 amconfig.help.com.iplanet.am.cookie.encode=\u3053\u308c\u306b\u3088\u308a\u3001Cookie \u5024\u3092 URL \u30a8\u30f3\u30b3\u30fc\u30c9\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002(\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u540d: com.iplanet.am.cookie.encode)
 
+amconfig.jp.openam.cookie.samesite.default=\u30c7\u30d5\u30a9\u30eb\u30c8 SameSite \u5024
+amconfig.jp.openam.cookie.samesite.default.notset=\u8a2d\u5b9a\u3057\u306a\u3044
+amconfig.jp.openam.cookie.samesite.default.none=None
+amconfig.jp.openam.cookie.samesite.default.lax=Lax
+amconfig.jp.openam.cookie.samesite.default.strict=Strict
+amconfig.help.jp.openam.cookie.samesite.default=Cookie SameSite \u5c5e\u6027\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u5024\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002
+amconfig.jp.openam.cookie.samesite.setting.list=Cookie \u6bce\u306e SameSite \u8a2d\u5b9a
+amconfig.help.jp.openam.cookie.samesite.setting.list=Cookie \u6bce\u306b SameSite \u5c5e\u6027\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<code>Cookie \u540d=SameSite \u5c5e\u6027\u5024</code> \u306e\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3067\u6307\u5b9a\u3057\u307e\u3059\u3002\u8907\u6570\u306e\u30af\u30c3\u30ad\u30fc\u306b\u5bfe\u3057\u3066\u6307\u5b9a\u3059\u308b\u5834\u5408\u306f\u30ab\u30f3\u30de\u3067\u533a\u5207\u308a\u307e\u3059\u3002
+
 amconfig.com.sun.identity.saml.xmlsig.keystore=\u30ad\u30fc\u30b9\u30c8\u30a2\u30d5\u30a1\u30a4\u30eb
 amconfig.help.com.sun.identity.saml.xmlsig.keystore=\u30ad\u30fc\u30b9\u30c8\u30a2\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002(\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u540d: com.sun.identity.saml.xmlsig.keystore)
 amconfig.com.sun.identity.saml.xmlsig.storepass=\u30ad\u30fc\u30b9\u30c8\u30a2\u30d1\u30b9\u30ef\u30fc\u30c9\u30d5\u30a1\u30a4\u30eb

diff --git a/openam-federation/OpenFM/src/main/java/com/iplanet/services/cdc/CDCServlet.java b/openam-federation/OpenFM/src/main/java/com/iplanet/services/cdc/CDCServlet.java
@@ -25,6 +25,7 @@
  * $Id: CDCServlet.java,v 1.13 2009/11/13 23:43:17 dknab Exp $
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
+ * Portions Copyrighted 2020 Open Source Solution Technology Corporation
  */
 
 package com.iplanet.services.cdc;
@@ -328,12 +329,12 @@ private void doGetPost(
                                 String domain = (String)it.next();
                                 Cookie cookie = CookieUtils.newCookie(cookieName, 
                                         cookieValue,"/", domain);
-                                CookieUtils.addCookieToResponse(response, cookie);
+                                CookieUtils.addCookieToResponse(request, response, cookie);
                             }
                         } else {
                             Cookie cookie = CookieUtils.newCookie(cookieName, 
                                     cookieValue,"/", null);
-                            CookieUtils.addCookieToResponse(response, cookie);
+                            CookieUtils.addCookieToResponse(request, response, cookie);
                         }
                     }
                 } catch (Exception e) {