From b13aa55c43aacf871700e526f01bb76d6e9b29af Mon Sep 17 00:00:00 2001
From: Matthew Buckett <matthew.buckett@ctl.ox.ac.uk>
Date: Mon, 27 Apr 2026 15:51:02 +0100
Subject: [PATCH] AB#117049 Switch to Spring Boot method of setting SameSite

This drops our code so we just set the standard property.
---
 .../ox/ctl/ltiauth/TomcatConfiguration.java   | 25 -------------------
 src/main/resources/application.properties     |  2 ++
 2 files changed, 2 insertions(+), 25 deletions(-)
 delete mode 100644 src/main/java/uk/ac/ox/ctl/ltiauth/TomcatConfiguration.java

diff --git a/src/main/java/uk/ac/ox/ctl/ltiauth/TomcatConfiguration.java b/src/main/java/uk/ac/ox/ctl/ltiauth/TomcatConfiguration.java
deleted file mode 100644
index a32689e..0000000
--- a/src/main/java/uk/ac/ox/ctl/ltiauth/TomcatConfiguration.java
+++ /dev/null
@@ -1,25 +0,0 @@
-package uk.ac.ox.ctl.ltiauth;
-
-import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
-import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
-import org.springframework.boot.web.server.WebServerFactoryCustomizer;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-/**
- * This is so that we set SameSite=None on our cookie so that things work in the cross domain setup.
- */
-@Configuration
-public class TomcatConfiguration {
-
-    @Bean
-    WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
-        return tomcatServletWebServerFactory -> {
-            tomcatServletWebServerFactory.addContextCustomizers(context -> {
-                Rfc6265CookieProcessor processor = new Rfc6265CookieProcessor();
-                processor.setSameSiteCookies("None");
-                context.setCookieProcessor(processor);
-            });
-        };
-    }
-}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 7ccb9de..e36c7a6 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -63,3 +63,5 @@ management.endpoints.web.exposure.include=health,sentry
 # disable by default
 spring.cloud.aws.secretsmanager.enabled=false
 
+# This is needed for the OAuth flow so that the cookie is sent in cross-origin requests.
+server.servlet.session.cookie.same-site=None