org.broadleafcommerce.common.security.handler

Class SecurityFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.web.filter.OncePerRequestFilter

org.broadleafcommerce.common.security.handler.SecurityFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class SecurityFilter
extends org.springframework.web.filter.OncePerRequestFilter

Checks the validity of the CSRF token on every POST request. Also Checks the validity of the state token on every POST request. Its purpose is to help protect against a page being submitted with stale state. This can occur when key state has changed (either in session, or otherwise) that makes the current POST request no longer viable. See StaleStateProtectionService for more info on purpose and usage.

You can inject excluded Request URI patterns to bypass this filter. This filter uses the AntPathRequestMatcher which compares a pre-defined ant-style pattern against the URL (servletPath + pathInfo) of an HttpServletRequest. This allows you to use wildcard matching as well, for example /** or **

Author:

Jeff Fischer

See Also:

AntPathRequestMatcher

Field Summary

Fields

Modifier and Type	Field and Description
protected List<String>	excludedRequestPatterns
protected ExploitProtectionService	exploitProtectionService
protected static org.apache.commons.logging.Log	LOG
protected StaleStateProtectionService	staleStateProtectionService

Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
SecurityFilter()

Method Summary

Modifier and Type	Method and Description
protected void	doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
List<String>	getExcludedRequestPatterns()
void	setExcludedRequestPatterns(List<String> excludedRequestPatterns) This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**

Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

protected static final org.apache.commons.logging.Log LOG

staleStateProtectionService

@Autowired
 @Qualifier(value="blStaleStateProtectionService")
protected StaleStateProtectionService staleStateProtectionService

exploitProtectionService

@Autowired
 @Qualifier(value="blExploitProtectionService")
protected ExploitProtectionService exploitProtectionService

excludedRequestPatterns

protected List<String> excludedRequestPatterns

Constructor Detail

SecurityFilter

public SecurityFilter()

Method Detail

doFilterInternal

protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain filterChain)
                         throws javax.servlet.ServletException,
                                IOException

Specified by:

doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter

Throws:

javax.servlet.ServletException

IOException

getExcludedRequestPatterns

public List<String> getExcludedRequestPatterns()

setExcludedRequestPatterns

public void setExcludedRequestPatterns(List<String> excludedRequestPatterns)

This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**