org.broadleafcommerce.common.security.handler

Class CsrfFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.broadleafcommerce.common.security.handler.CsrfFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class CsrfFilter
extends org.springframework.web.filter.GenericFilterBean

Checks the validity of the CSRF token on every POST request. You can inject excluded Request URI patterns to bypass this filter. This filter uses the AntPathRequestMatcher which compares a pre-defined ant-style pattern against the URL (servletPath + pathInfo) of an HttpServletRequest. This allows you to use wildcard matching as well, for example /** or **

Author:

Andre Azzolini (apazzolini)

See Also:

AntPathRequestMatcher

Field Summary

Fields

Modifier and Type	Field and Description
protected List<String>	excludedRequestPatterns
protected ExploitProtectionService	exploitProtectionService
protected static org.apache.commons.logging.Log	LOG

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
CsrfFilter()

Method Summary

Methods

Modifier and Type	Method and Description
void	doFilter(javax.servlet.ServletRequest baseRequest, javax.servlet.ServletResponse baseResponse, javax.servlet.FilterChain chain)
List<String>	getExcludedRequestPatterns()
void	setExcludedRequestPatterns(List<String> excludedRequestPatterns) This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

protected static final org.apache.commons.logging.Log LOG

exploitProtectionService

protected ExploitProtectionService exploitProtectionService

excludedRequestPatterns

protected List<String> excludedRequestPatterns

Constructor Detail

CsrfFilter

public CsrfFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest baseRequest,
            javax.servlet.ServletResponse baseResponse,
            javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

getExcludedRequestPatterns

public List<String> getExcludedRequestPatterns()

setExcludedRequestPatterns

public void setExcludedRequestPatterns(List<String> excludedRequestPatterns)

This allows you to declaratively set a list of excluded Request Patterns /exclude-me/**