Tomcat Cookie Handling (4.8)

Adjustements needed for IDM 4.8 Support

Tomcat Cookie Handling Adjustements

In order to support current browsers and current Tomcat versions, changes in the User Application Tomcat cookie handling are required.

Setting the SameSite attribute

As of version 80, the chrome browser treats cookie without a SameSite attribute as Lax, which can lead to issues when displaying legacy UserApp forms within Karma.

To fix that issue, adjust the Tomcat cookie handling to set SameSite=None.

vim /opt/netiq/idm/apps/tomcat/conf/context.xml

<Context>
  <!-- ... -->
  <CookieProcessor sameSiteCookies="None" />
</Context>

Replacing the cookie processor

To support legacy User Application forms, Karma opens an iframe which points to a User Application URL similar to: https://idm.server/IDMProv/requestForm.do?uid=…&jsa=....

The User Application reads the jsa request parameter and sets a cookie containing its value. As of Tomcat 8.5, this leads to issues because of a new cookie processor (org.apache.tomcat.util.http.Rfc6265CookieProcessor), which denies some special characters. Those characters (for example backslashes) are however included in the jsa parameter (no matter if they are URL encoded or not). In result, setting the response cookie fails and the form cannot be displayed.

In order to fix the issue, Tomcat must be configured to use its legacy cookie processor:

vim /opt/netiq/idm/apps/tomcat/conf/context.xml

<Context>
  <!-- ... -->
  <CookieProcessor sameSiteCookies="None" className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>
IDMProv UpdateConfiguration