Package org.broadleafcommerce.profile.web.site.security

Class SessionFixationProtectionFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.broadleafcommerce.profile.web.site.security.SessionFixationProtectionFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
@Deprecated @Component("blSessionFixationProtectionFilter") public class SessionFixationProtectionFilter extends org.springframework.web.filter.GenericFilterBean
Deprecated.
Use SessionFixationProtectionStrategy instead
Filter used to protected against session fixation attacks while still keeping the same session id on both http and https protocols. Uses a secondary, https cookie that must be present on every https request for a given session after the first request. If it's not present and equal to what we expect, we will redirect the user to "/" and remove his session cookie.
Author:
Andre Azzolini (apazzolini)

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected org.broadleafcommerce.common.security.util.CookieUtils
    cookieUtils
    Deprecated.
     
    protected Boolean
    enabled
    Deprecated.
     
    protected org.broadleafcommerce.common.encryption.EncryptionModule
    encryptionModule
    Deprecated.
     
    protected static final String
    SESSION_ATTR
    Deprecated.
     

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    SessionFixationProtectionFilter()
    Deprecated.
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    abortUser(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Deprecated.
     
    void
    doFilter(jakarta.servlet.ServletRequest sRequest, jakarta.servlet.ServletResponse sResponse, jakarta.servlet.FilterChain chain)
    Deprecated.
     

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • SESSION_ATTR

      protected static final String SESSION_ATTR
      Deprecated.
      See Also:

    • encryptionModule

      @Autowired @Qualifier("blSessionFixationEncryptionModule") protected org.broadleafcommerce.common.encryption.EncryptionModule encryptionModule
      Deprecated.

    • cookieUtils

      @Autowired @Qualifier("blCookieUtils") protected org.broadleafcommerce.common.security.util.CookieUtils cookieUtils
      Deprecated.

    • enabled

      @Value("${filter.sessionFixationProtection.legacy.enabled:true}") protected Boolean enabled
      Deprecated.

  • Constructor Details

    • SessionFixationProtectionFilter

      public SessionFixationProtectionFilter()
      Deprecated.

  • Method Details

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest sRequest, jakarta.servlet.ServletResponse sResponse, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Deprecated.
      Throws:
      IOException
      jakarta.servlet.ServletException

    • abortUser

      protected void abortUser(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException
      Deprecated.
      Throws:
      IOException