SessionFixationProtectionFilter (BroadleafCommerce Profile Web 3.0.6-GA API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.broadleafcommerce.profile.web.core.security
Class SessionFixationProtectionFilter

java.lang.Object
  org.springframework.web.filter.GenericFilterBean
      org.broadleafcommerce.profile.web.core.security.SessionFixationProtectionFilter

All Implemented Interfaces:: javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

@Component(value="blSessionFixationProtectionFilter") public class SessionFixationProtectionFilter
extends org.springframework.web.filter.GenericFilterBean
extends org.springframework.web.filter.GenericFilterBean

Filter used to protected against session fixation attacks while still keeping the same session id on both http and https protocols. Uses a secondary, https cookie that must be present on every https request for a given session after the first request. If it's not present and equal to what we expect, we will redirect the user to "/" and remove his session cookie.

Author:: Andre Azzolini (apazzolini)

Field Summary
`protected CookieUtils`	`cookieUtils`
`protected EncryptionModule`	`encryptionModule`
`protected static String`	`SESSION_ATTR`

Fields inherited from class org.springframework.web.filter.GenericFilterBean
`logger`

Constructor Summary
`SessionFixationProtectionFilter()`

Method Summary
`protected void`	`abortUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`void`	`doFilter(javax.servlet.ServletRequest sRequest, javax.servlet.ServletResponse sResponse, javax.servlet.FilterChain chain)`

Methods inherited from class org.springframework.web.filter.GenericFilterBean
`addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

SESSION_ATTR

protected static final String SESSION_ATTR

See Also:: Constant Field Values

encryptionModule

protected EncryptionModule encryptionModule

cookieUtils

protected CookieUtils cookieUtils

Constructor Detail

SessionFixationProtectionFilter

public SessionFixationProtectionFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest sRequest,
                     javax.servlet.ServletResponse sResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:: IOException; javax.servlet.ServletException

abortUser

protected void abortUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws IOException

Throws:: IOException