use of org.broadleafcommerce.common.exception.ServiceException in project BroadleafCommerce by BroadleafCommerce.
the class SecurityFilter method doFilter.
@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) baseRequest;
HttpServletResponse response = (HttpServletResponse) baseResponse;
boolean excludedRequestFound = false;
if (excludedRequestPatterns != null && excludedRequestPatterns.size() > 0) {
for (String pattern : excludedRequestPatterns) {
RequestMatcher matcher = new AntPathRequestMatcher(pattern);
if (matcher.matches(request)) {
excludedRequestFound = true;
break;
}
}
}
// We only validate CSRF tokens on POST
if (request.getMethod().equals("POST") && !excludedRequestFound) {
String requestToken = request.getParameter(exploitProtectionService.getCsrfTokenParameter());
try {
exploitProtectionService.compareToken(requestToken);
} catch (ServiceException e) {
throw new ServletException(e);
}
}
if (staleStateProtectionService.isEnabled()) {
// Catch attempts to update form data from a stale page (i.e. a important state change has taken place for this session)
if (request.getMethod().equals("POST") && !excludedRequestFound) {
String requestToken = request.getParameter(staleStateProtectionService.getStateVersionTokenParameter());
try {
staleStateProtectionService.compareToken(requestToken);
} catch (StaleStateServiceException e) {
throw new ServletException(e);
}
}
}
chain.doFilter(request, response);
}
use of org.broadleafcommerce.common.exception.ServiceException in project BroadleafCommerce by BroadleafCommerce.
the class ExploitProtectionServiceImpl method getCSRFToken.
@Override
public String getCSRFToken() throws ServiceException {
// If using any request wrapper (e.g. Spring Session) on site, we'll need to return the decorated instance.
HttpServletRequest request = BroadleafRequestContext.getBroadleafRequestContext().getRequest();
if (request == null) {
// in the case of the admin, the brc is not used, so fallback to Spring's request context holder
request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
}
if (BLCRequestUtils.isOKtoUseSession(new ServletWebRequest(request))) {
HttpSession session = request.getSession();
String token = (String) session.getAttribute(CSRFTOKEN);
if (StringUtils.isEmpty(token)) {
try {
token = RandomGenerator.generateRandomId("SHA1PRNG", 32);
} catch (NoSuchAlgorithmException e) {
LOG.error("Unable to generate random number", e);
throw new ServiceException("Unable to generate random number", e);
}
session.setAttribute(CSRFTOKEN, token);
}
return token;
}
return null;
}
use of org.broadleafcommerce.common.exception.ServiceException in project BroadleafCommerce by BroadleafCommerce.
the class AdminPermissionCustomPersistenceHandler method update.
@Override
public Entity update(PersistencePackage persistencePackage, DynamicEntityDao dynamicEntityDao, RecordHelper helper) throws ServiceException {
Entity entity = checkPermissionName(persistencePackage);
try {
PersistencePerspective persistencePerspective = persistencePackage.getPersistencePerspective();
Map<String, FieldMetadata> adminProperties = helper.getSimpleMergedProperties(AdminPermission.class.getName(), persistencePerspective);
Object primaryKey = helper.getPrimaryKey(entity, adminProperties);
AdminPermission adminInstance = (AdminPermission) dynamicEntityDao.retrieve(Class.forName(entity.getType()[0]), primaryKey);
adminInstance = (AdminPermission) helper.createPopulatedInstance(adminInstance, entity, adminProperties, false);
adminInstance = dynamicEntityDao.merge(adminInstance);
Entity adminEntity = helper.getRecord(adminProperties, adminInstance, null, null);
return adminEntity;
} catch (Exception e) {
throw new ServiceException("Unable to update entity for " + entity.getType()[0], e);
}
}
use of org.broadleafcommerce.common.exception.ServiceException in project BroadleafCommerce by BroadleafCommerce.
the class AdminPermissionCustomPersistenceHandler method add.
@Override
public Entity add(PersistencePackage persistencePackage, DynamicEntityDao dynamicEntityDao, RecordHelper helper) throws ServiceException {
if (persistencePackage.getEntity().findProperty("id") != null && !StringUtils.isEmpty(persistencePackage.getEntity().findProperty("id").getValue())) {
return update(persistencePackage, dynamicEntityDao, helper);
}
Entity entity = checkPermissionName(persistencePackage);
try {
PersistencePerspective persistencePerspective = persistencePackage.getPersistencePerspective();
AdminPermission adminInstance = (AdminPermission) Class.forName(entity.getType()[0]).newInstance();
Map<String, FieldMetadata> adminProperties = helper.getSimpleMergedProperties(AdminPermission.class.getName(), persistencePerspective);
adminInstance = (AdminPermission) helper.createPopulatedInstance(adminInstance, entity, adminProperties, false);
adminInstance = dynamicEntityDao.merge(adminInstance);
Entity adminEntity = helper.getRecord(adminProperties, adminInstance, null, null);
return adminEntity;
} catch (Exception e) {
throw new ServiceException("Unable to add entity for " + entity.getType()[0], e);
}
}
use of org.broadleafcommerce.common.exception.ServiceException in project BroadleafCommerce by BroadleafCommerce.
the class AdminUserCustomPersistenceHandler method update.
@Override
public Entity update(PersistencePackage persistencePackage, DynamicEntityDao dynamicEntityDao, RecordHelper helper) throws ServiceException {
Entity entity = persistencePackage.getEntity();
try {
PersistencePerspective persistencePerspective = persistencePackage.getPersistencePerspective();
Map<String, FieldMetadata> adminProperties = helper.getSimpleMergedProperties(AdminUser.class.getName(), persistencePerspective);
Object primaryKey = helper.getPrimaryKey(entity, adminProperties);
AdminUser adminInstance = (AdminUser) dynamicEntityDao.retrieve(Class.forName(entity.getType()[0]), primaryKey);
Entity errorEntity = validateLegalUsernameAndEmail(entity, adminInstance, false);
if (errorEntity != null) {
return errorEntity;
}
String passwordBefore = adminInstance.getPassword();
adminInstance.setPassword(null);
adminInstance = (AdminUser) helper.createPopulatedInstance(adminInstance, entity, adminProperties, false);
Property passwordProperty = entity.getPMap().get("password");
if (passwordProperty != null) {
if (StringUtils.isNotEmpty(passwordProperty.getValue())) {
adminInstance.setUnencodedPassword(passwordProperty.getValue());
adminInstance.setPassword(null);
} else {
adminInstance.setPassword(passwordBefore);
}
}
validateUserUpdateSecurity(persistencePackage, adminInstance);
adminInstance = adminSecurityService.saveAdminUser(adminInstance);
Entity adminEntity = helper.getRecord(adminProperties, adminInstance, null, null);
return adminEntity;
} catch (Exception e) {
throw new ServiceException("Unable to update entity for " + entity.getType()[0], e);
}
}
Aggregations