org.broadleafcommerce.common.security.handler

Class SecurityFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.broadleafcommerce.common.security.handler.SecurityFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class SecurityFilter
extends org.springframework.web.filter.GenericFilterBean

Checks the validity of the CSRF token on every POST request. Also Checks the validity of the state token on every POST request. Its purpose is to help protect against a page being submitted with stale state. This can occur when key state has changed (either in session, or otherwise) that makes the current POST request no longer viable. See StaleStateProtectionService for more info on purpose and usage.

You can inject excluded Request URI patterns to bypass this filter. This filter uses the AntPathRequestMatcher which compares a pre-defined ant-style pattern against the URL (servletPath + pathInfo) of an HttpServletRequest. This allows you to use wildcard matching as well, for example /** or **

Author:

Jeff Fischer

See Also:

AntPathRequestMatcher

Field Summary

Fields

Modifier and Type	Field and Description
protected List<String>	excludedRequestPatterns
protected ExploitProtectionService	exploitProtectionService
protected static org.apache.commons.logging.Log	LOG
protected StaleStateProtectionService	staleStateProtectionService

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
SecurityFilter()

Method Summary

Modifier and Type	Method and Description
void	doFilter(javax.servlet.ServletRequest baseRequest, javax.servlet.ServletResponse baseResponse, javax.servlet.FilterChain chain)
List<String>	getExcludedRequestPatterns()
void	setExcludedRequestPatterns(List<String> excludedRequestPatterns) This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

protected static final org.apache.commons.logging.Log LOG

staleStateProtectionService

protected StaleStateProtectionService staleStateProtectionService

exploitProtectionService

protected ExploitProtectionService exploitProtectionService

excludedRequestPatterns

protected List<String> excludedRequestPatterns

Constructor Detail

SecurityFilter

public SecurityFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest baseRequest,
                     javax.servlet.ServletResponse baseResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

getExcludedRequestPatterns

public List<String> getExcludedRequestPatterns()

setExcludedRequestPatterns

public void setExcludedRequestPatterns(List<String> excludedRequestPatterns)

This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**