org.broadleafcommerce.openadmin.web.filter

Class AdminSecurityFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.broadleafcommerce.common.security.handler.SecurityFilter

org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class AdminSecurityFilter
extends SecurityFilter

This class attempts the work flow of the CsrfFilter, but in the event of a Csrf token mismatch (Session reset for example) the User will be redirected to login, if not session reset User is sent to previous location. This class also handles stale state detection for the admin. This can occur when an admin page form is submitted and the system detects that key state has changed since the time the page was originally rendered. See StaleStateProtectionService for details.

applicationContext-admin-security should reference this class as follows:

... <sec:custom-filter ref="blPreSecurityFilterChain" before="CHANNEL_FILTER"/> <sec:custom-filter ref="blSecurityFilter" before="FORM_LOGIN_FILTER"/> <sec:custom-filter ref="blAdminFilterSecurityInterceptor" after="EXCEPTION_TRANSLATION_FILTER"/> <sec:custom-filter ref="blPostSecurityFilterChain" after="SWITCH_USER_FILTER"/> </sec:http> <bean id="blSecurityFilter" class="org.broadleafcommerce.openadmin.web.filter.AdminSecurityFilter" /> ...

Author:

trevorleffert, Jeff Fischer

Field Summary

Fields

Modifier and Type	Field and Description
protected org.springframework.security.web.authentication.AuthenticationFailureHandler	failureHandler

Fields inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter

excludedRequestPatterns, exploitProtectionService, LOG, staleStateProtectionService

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
AdminSecurityFilter()

Method Summary

Modifier and Type	Method and Description
void	doFilter(javax.servlet.ServletRequest baseRequest, javax.servlet.ServletResponse baseResponse, javax.servlet.FilterChain chain)

Methods inherited from class org.broadleafcommerce.common.security.handler.SecurityFilter

getExcludedRequestPatterns, setExcludedRequestPatterns

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

failureHandler

protected org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler

Constructor Detail

AdminSecurityFilter

public AdminSecurityFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest baseRequest,
                     javax.servlet.ServletResponse baseResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Overrides:

doFilter in class SecurityFilter

Throws:

IOException

javax.servlet.ServletException