Class SecurityFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.broadleafcommerce.common.security.handler.SecurityFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.EnvironmentAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
public class SecurityFilter
extends org.springframework.web.filter.OncePerRequestFilter
Checks the validity of the CSRF token on every POST request. Also Checks the validity of the state token on every POST
request. Its purpose is to help protect against a page being
submitted with stale state. This can occur when key state has changed (either in session, or otherwise) that makes the
current POST request no longer viable. See
StaleStateProtectionService for more info on purpose and usage.
You can inject excluded Request URI patterns to bypass this filter.
This filter uses the AntPathRequestMatcher which compares a pre-defined ant-style pattern against the URL
(servletPath + pathInfo) of an HttpServletRequest.
This allows you to use wildcard matching as well, for example /** or **- Author:
- Jeff Fischer
- See Also:
-
AntPathRequestMatcher
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected ExploitProtectionServiceprotected static final org.apache.commons.logging.Logprotected StaleStateProtectionServiceFields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIXFields inherited from class org.springframework.web.filter.GenericFilterBean
logger -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voiddoFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) voidsetExcludedRequestPatterns(List<String> excludedRequestPatterns) This allows you to declaratively set a list of excluded Request Patterns/exclude-me/** Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchMethods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
LOG
protected static final org.apache.commons.logging.Log LOG -
staleStateProtectionService
@Autowired @Qualifier("blStaleStateProtectionService") protected StaleStateProtectionService staleStateProtectionService -
exploitProtectionService
@Autowired @Qualifier("blExploitProtectionService") protected ExploitProtectionService exploitProtectionService -
excludedRequestPatterns
-
-
Constructor Details
-
SecurityFilter
public SecurityFilter()
-
-
Method Details
-
doFilterInternal
protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException - Specified by:
doFilterInternalin classorg.springframework.web.filter.OncePerRequestFilter- Throws:
jakarta.servlet.ServletExceptionIOException
-
getExcludedRequestPatterns
-
setExcludedRequestPatterns
This allows you to declaratively set a list of excluded Request Patterns/exclude-me/**
-