SessionFixationProtectionFilter (BroadleafCommerce Profile Web 3.0.5-GA API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.broadleafcommerce.profile.web.core.security
Class SessionFixationProtectionFilter

java.lang.Object
  org.springframework.web.filter.GenericFilterBean
      org.broadleafcommerce.profile.web.core.security.SessionFixationProtectionFilter

All Implemented Interfaces:: javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

@Component(value="blSessionFixationProtectionFilter") public class SessionFixationProtectionFilter
extends org.springframework.web.filter.GenericFilterBean
extends org.springframework.web.filter.GenericFilterBean

Filter used to protected against session fixation attacks while still keeping the same session id on both http and https protocols. Uses a secondary, https cookie that must be present on every https request for a given session after the first request. If it's not present and equal to what we expect, we will redirect the user to "/" and remove his session cookie.

Author:: Andre Azzolini (apazzolini)

Field Summary
`protected EncryptionModule`	`encryptionModule`
`protected static String`	`SESSION_ATTR`

Fields inherited from class org.springframework.web.filter.GenericFilterBean
`logger`

Constructor Summary
`SessionFixationProtectionFilter()`

Method Summary
`protected void`	`abortUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`void`	`doFilter(javax.servlet.ServletRequest sRequest, javax.servlet.ServletResponse sResponse, javax.servlet.FilterChain chain)`

Methods inherited from class org.springframework.web.filter.GenericFilterBean
`addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

SESSION_ATTR

protected static final String SESSION_ATTR

See Also:: Constant Field Values

encryptionModule

protected EncryptionModule encryptionModule

Constructor Detail

SessionFixationProtectionFilter

public SessionFixationProtectionFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest sRequest,
                     javax.servlet.ServletResponse sResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:: IOException; javax.servlet.ServletException

abortUser

protected void abortUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws IOException

Throws:: IOException