Package org.broadleafcommerce.openadmin.web.filter

Class AdminSecurityFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.broadleafcommerce.common.security.handler.SecurityFilter
org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
@Component("blAdminCsrfFilter") public class AdminSecurityFilter extends SecurityFilter
This class attempts the work flow of the CsrfFilter, but in the event of a Csrf token mismatch (Session reset for example) the User will be redirected to login, if not session reset User is sent to previous location. This class also handles stale state detection for the admin. This can occur when an admin page form is submitted and the system detects that key state has changed since the time the page was originally rendered. See StaleStateProtectionService for details.

applicationContext-admin-security should reference this class as follows:

... <sec:custom-filter ref="blPreSecurityFilterChain" before="CHANNEL_FILTER"/> <sec:custom-filter ref="blSecurityFilter" before="FORM_LOGIN_FILTER"/> <sec:custom-filter ref="blAdminFilterSecurityInterceptor" after="EXCEPTION_TRANSLATION_FILTER"/> <sec:custom-filter ref="blPostSecurityFilterChain" after="SWITCH_USER_FILTER"/> </sec:http> <bean id="blSecurityFilter" class="org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter" /> ...
Author:
trevorleffert, Jeff Fischer

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected org.springframework.security.web.authentication.AuthenticationFailureHandler
    failureHandler
     

    Fields inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter

    excludedRequestPatterns, exploitProtectionService, staleStateProtectionService

    Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

    ALREADY_FILTERED_SUFFIX

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    AdminSecurityFilter()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    doFilterInternal(jakarta.servlet.http.HttpServletRequest baseRequest, jakarta.servlet.http.HttpServletResponse baseResponse, jakarta.servlet.FilterChain chain)
     

    Methods inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter

    getExcludedRequestPatterns, setExcludedRequestPatterns

    Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

    doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • failureHandler

      @Autowired(required=false) @Qualifier("blAdminAuthenticationFailureHandler") protected org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler

  • Constructor Details

    • AdminSecurityFilter

      public AdminSecurityFilter()

  • Method Details

    • doFilterInternal

      public void doFilterInternal(jakarta.servlet.http.HttpServletRequest baseRequest, jakarta.servlet.http.HttpServletResponse baseResponse, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Overrides:
      doFilterInternal in class SecurityFilter
      Throws:
      IOException
      jakarta.servlet.ServletException