SessionFixationProtectionFilter (BroadleafCommerce Profile Web 3.0.14-GA API)

java.lang.Object
- org.springframework.web.filter.GenericFilterBean
- - org.broadleafcommerce.profile.web.core.security.SessionFixationProtectionFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware
```
@Component(value="blSessionFixationProtectionFilter")
public class SessionFixationProtectionFilter
extends org.springframework.web.filter.GenericFilterBean
```
Filter used to protected against session fixation attacks while still keeping the same session id on both http and https protocols. Uses a secondary, https cookie that must be present on every https request for a given session after the first request. If it's not present and equal to what we expect, we will redirect the user to "/" and remove his session cookie.

Author:

Andre Azzolini (apazzolini)

Field Summary

Fields
Modifier and Type Field and Description

protected CookieUtils cookieUtils

protected EncryptionModule encryptionModule

protected static String SESSION_ATTR
- Fields inherited from class org.springframework.web.filter.GenericFilterBean
  logger

Fields
Modifier and Type	Field and Description
`protected CookieUtils`	`cookieUtils`
`protected EncryptionModule`	`encryptionModule`
`protected static String`	`SESSION_ATTR`

Constructor Summary

Constructors
Constructor and Description

SessionFixationProtectionFilter()

Constructors
Constructor and Description
`SessionFixationProtectionFilter()`

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`abortUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`void`	`doFilter(javax.servlet.ServletRequest sRequest, javax.servlet.ServletResponse sResponse, javax.servlet.FilterChain chain)`

Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SESSION_ATTR

protected static final String SESSION_ATTR

See Also:: Constant Field Values

encryptionModule

protected EncryptionModule encryptionModule

cookieUtils
```
protected CookieUtils cookieUtils
```

Constructor Detail
- SessionFixationProtectionFilter
```
public SessionFixationProtectionFilter()
```

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest sRequest,
            javax.servlet.ServletResponse sResponse,
            javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:: IOException; javax.servlet.ServletException

abortUser

protected void abortUser(javax.servlet.http.HttpServletRequest request,
             javax.servlet.http.HttpServletResponse response)
                  throws IOException

Throws:: IOException

Class SessionFixationProtectionFilter

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

Constructor Summary

Method Summary

Methods inherited from class org.springframework.web.filter.GenericFilterBean

Methods inherited from class java.lang.Object

Field Detail

SESSION_ATTR

encryptionModule

cookieUtils

Constructor Detail

SessionFixationProtectionFilter

Method Detail

doFilter

abortUser