package org.broadleafcommerce.common.security.handler;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.broadleafcommerce.common.exception.ServiceException;
import org.broadleafcommerce.common.security.service.ExploitProtectionService;
import org.springframework.security.web.util.AntPathRequestMatcher;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/broadleafcommerce/common/security/handler/CsrfFilter.class */
public class CsrfFilter extends GenericFilterBean {
    protected static final Log LOG = LogFactory.getLog(CsrfFilter.class);

    @Resource(name = "blExploitProtectionService")
    protected ExploitProtectionService exploitProtectionService;
    protected List<String> excludedRequestPatterns;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = false;
        if (this.excludedRequestPatterns != null && this.excludedRequestPatterns.size() > 0) {
            Iterator<String> it = this.excludedRequestPatterns.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (new AntPathRequestMatcher(it.next()).matches(httpServletRequest)) {
                    z = true;
                    break;
                }
            }
        }
        if (httpServletRequest.getMethod().equals("POST") && !z) {
            try {
                this.exploitProtectionService.compareToken(httpServletRequest.getParameter(this.exploitProtectionService.getCsrfTokenParameter()));
            } catch (ServiceException e) {
                throw new ServletException(e);
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    public List<String> getExcludedRequestPatterns() {
        return this.excludedRequestPatterns;
    }

    public void setExcludedRequestPatterns(List<String> list) {
        this.excludedRequestPatterns = list;
    }
}
