Some security scans may determine that the JSESSIONID cookie tied to the URL of the Siteminder AdminUI might need to have the Samesite flag set.

Component: Siteminder AdminUI

Release : 12.8.x

The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

1) Download the file "1674239267076__AdminUI-Samesite-Fix.zip" attached to this KB

2) Copy the file "1674239267076__AdminUI-Samesite-Fix.zip" to the Siteminder AdminUI host and unzip it.

3) Stop the Siteminder AdminUI

4) Browse to the following directory:

<AdminUI_Install_Dir>\adminui\modules\com

5) Copy the folder named "broadcom" from "1674239267076__AdminUI-Samesite-Fix" to <AdminUI_Install_Dir>\adminui\modules\com\

6) After copying the 'broadcom folder, verify that the following files and directory structure are present:

<AdminUI_Install_Dir>\adminui\modules\com\broadcom\websec\filter\main\modules.xml

<AdminUI_Install_Dir>\adminui\modules\com\broadcom\websec\filter\main\samesitefilter.jar

7) Backup the following file:

<AdminUI_Install_Dir>\adminui\standalone\configuration\standalone-ful.xml

8) Edit the following file: 

<AdminUI_Install_Dir>\adminui\standalone\configuration\standalone-ful.xml

9) Within the file "standalone-full.xml" locate the following entry:

<subsystem xmlns="urn:jboss:domain:undertow:8.0......."

10) Within the [<subsystem xmlns="urn:jboss:domain:undertow:8.0] section, locate the <filters> section

        <!-- 
            <filters>
                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>
        -->

11) Modify the <filters> section as follows:

     <filters>
          <!--<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
          <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> -->
          <filter class-name="com.broadcom.websec.filter.SameSiteCookieHandler" module="com.broadcom.websec.filter" name="samesitecookiehandler">
               <param name="sameSite" value="None"/>
          </filter>
     </filters>

NOTE: <!-- --> is a wrapper that comments out the values.  You could simply remove the default response headers complete, if you prefer.

    <filters>
        <filter class-name="com.broadcom.websec.filter.SameSiteCookieHandler" module="com.broadcom.websec.filter" name="samesitecookiehandler">
            <param name="sameSite" value="None"/>
        </filter>
    </filters>

NOTE: Within the 'value=' attribute for the parameter named "SameSite" [<param name="sameSite" value=  ]  you will populate with one of the supported SameSite values. (e.g.: None | Lax | Strict) Please ensure you have provided one these values exactly

12) Within the file "standalone-full.xml" locate the following entry:

     <host alias="localhost" name="default-host">

13) Implement the following change:

     <host alias="localhost" name="default-host">
          <filter-ref name="samesitecookiehandler"/>
          <location handler="welcome-content" name="/"/>
          <http-invoker security-realm="ApplicationRealm"/>
     </host>

NOTE: There are examples in the sample copy of the 'standalone-full.xml' within "1674239267076__AdminUI-Samesite-Fix".  That copy is NOT intended to replace your existing 'standalone-full.xml', it is merely there for reference purposes.  DO NOT replace your copy of 'standalone-full.xml' with the same copy provided.

14) Start the Siteminder AdminUI server

15) Using a web browser trace tool, logon to the Siteminder AdminUI and review the JSESSIONID cookie in the responses to verify the solution is working.