Class AdminSecurityFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.broadleafcommerce.common.security.handler.SecurityFilter
org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.EnvironmentAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
@Component("blAdminCsrfFilter")
public class AdminSecurityFilter
extends org.broadleafcommerce.common.security.handler.SecurityFilter
This class attempts the work flow of the CsrfFilter, but in the event of a Csrf token mismatch
(Session reset for example) the User will be redirected to login, if not session reset User is sent to previous location.
This class also handles stale state detection for the admin. This can occur when an admin page form is submitted
and the system detects that key state has changed since the time the page was originally rendered.
See
StaleStateProtectionService for details.
applicationContext-admin-security should reference this class as follows:
...
<sec:custom-filter ref="blPreSecurityFilterChain" before="CHANNEL_FILTER"/>
<sec:custom-filter ref="blSecurityFilter" before="FORM_LOGIN_FILTER"/>
<sec:custom-filter ref="blAdminFilterSecurityInterceptor" after="EXCEPTION_TRANSLATION_FILTER"/>
<sec:custom-filter ref="blPostSecurityFilterChain" after="SWITCH_USER_FILTER"/>
</sec:http>
<bean id="blSecurityFilter" class="org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter" />
...
- Author:
- trevorleffert, Jeff Fischer
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected org.springframework.security.web.authentication.AuthenticationFailureHandlerFields inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter
excludedRequestPatterns, exploitProtectionService, staleStateProtectionServiceFields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIXFields inherited from class org.springframework.web.filter.GenericFilterBean
logger -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoiddoFilterInternal(jakarta.servlet.http.HttpServletRequest baseRequest, jakarta.servlet.http.HttpServletResponse baseResponse, jakarta.servlet.FilterChain chain) Methods inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter
getExcludedRequestPatterns, setExcludedRequestPatternsMethods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchMethods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
failureHandler
@Autowired(required=false) @Qualifier("blAdminAuthenticationFailureHandler") protected org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler
-
-
Constructor Details
-
AdminSecurityFilter
public AdminSecurityFilter()
-
-
Method Details
-
doFilterInternal
public void doFilterInternal(jakarta.servlet.http.HttpServletRequest baseRequest, jakarta.servlet.http.HttpServletResponse baseResponse, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException - Overrides:
doFilterInternalin classorg.broadleafcommerce.common.security.handler.SecurityFilter- Throws:
IOExceptionjakarta.servlet.ServletException
-