org.broadleafcommerce.profile.web.site.security

Class SessionFixationProtectionFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.broadleafcommerce.profile.web.site.security.SessionFixationProtectionFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

Deprecated.

Use org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy instead

@Deprecated
 @Component(value="blSessionFixationProtectionFilter")
public class SessionFixationProtectionFilter
extends org.springframework.web.filter.GenericFilterBean

Filter used to protected against session fixation attacks while still keeping the same session id on both http and https protocols. Uses a secondary, https cookie that must be present on every https request for a given session after the first request. If it's not present and equal to what we expect, we will redirect the user to "/" and remove his session cookie.

Author:

Andre Azzolini (apazzolini)

Field Summary

Fields

Modifier and Type	Field and Description
protected org.broadleafcommerce.common.security.util.CookieUtils	cookieUtils Deprecated.
protected Boolean	enabled Deprecated.
protected org.broadleafcommerce.common.encryption.EncryptionModule	encryptionModule Deprecated.
protected static String	SESSION_ATTR Deprecated.

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
SessionFixationProtectionFilter() Deprecated.

Method Summary

Modifier and Type	Method and Description
protected void	abortUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Deprecated.
void	doFilter(javax.servlet.ServletRequest sRequest, javax.servlet.ServletResponse sResponse, javax.servlet.FilterChain chain) Deprecated.

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SESSION_ATTR

protected static final String SESSION_ATTR

Deprecated.

See Also:

Constant Field Values

encryptionModule

@Autowired
 @Qualifier(value="blSessionFixationEncryptionModule")
protected org.broadleafcommerce.common.encryption.EncryptionModule encryptionModule

Deprecated.

cookieUtils

@Autowired
 @Qualifier(value="blCookieUtils")
protected org.broadleafcommerce.common.security.util.CookieUtils cookieUtils

Deprecated.

enabled

@Value(value="${filter.sessionFixationProtection.legacy.enabled:true}")
protected Boolean enabled

Deprecated.

Constructor Detail

SessionFixationProtectionFilter

public SessionFixationProtectionFilter()

Deprecated.

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest sRequest,
                     javax.servlet.ServletResponse sResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Deprecated.

Throws:

IOException

javax.servlet.ServletException

abortUser

protected void abortUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws IOException

Deprecated.

Throws:

IOException