Examples with StaleStateServiceException org.broadleafcommerce.common.security.service.StaleStateServiceException used on opensource projects

Example 1 with StaleStateServiceException

use of org.broadleafcommerce.common.security.service.StaleStateServiceException in project BroadleafCommerce by BroadleafCommerce.

the class AdminSecurityFilter method doFilter.

@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
    try {
        super.doFilter(baseRequest, baseResponse, chain);
    } catch (ServletException e) {
        if (e.getCause() instanceof StaleStateServiceException) {
            LOG.debug("Stale state detected", e);
            ((HttpServletResponse) baseResponse).setStatus(HttpServletResponse.SC_CONFLICT);
            baseResponse.getWriter().write("Stale State Detected\n");
            baseResponse.getWriter().write(e.getMessage() + "\n");
        } else if (e.getCause() instanceof ServiceException) {
            HttpServletRequest baseHttpRequest = (HttpServletRequest) baseRequest;
            // if authentication is null and CSRF token is invalid, must be session time out
            if (SecurityContextHolder.getContext().getAuthentication() == null && failureHandler != null) {
                baseHttpRequest.setAttribute("sessionTimeout", true);
                failureHandler.onAuthenticationFailure((HttpServletRequest) baseRequest, (HttpServletResponse) baseResponse, new SessionAuthenticationException("Session Time Out"));
            } else {
                throw e;
            }
        } else {
            throw e;
        }
    }
}

Example 2 with StaleStateServiceException

use of org.broadleafcommerce.common.security.service.StaleStateServiceException in project BroadleafCommerce by BroadleafCommerce.

the class SecurityFilter method doFilter.

@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) baseRequest;
    HttpServletResponse response = (HttpServletResponse) baseResponse;
    boolean excludedRequestFound = false;
    if (excludedRequestPatterns != null && excludedRequestPatterns.size() > 0) {
        for (String pattern : excludedRequestPatterns) {
            RequestMatcher matcher = new AntPathRequestMatcher(pattern);
            if (matcher.matches(request)) {
                excludedRequestFound = true;
                break;
            }
        }
    }
    // We only validate CSRF tokens on POST
    if (request.getMethod().equals("POST") && !excludedRequestFound) {
        String requestToken = request.getParameter(exploitProtectionService.getCsrfTokenParameter());
        try {
            exploitProtectionService.compareToken(requestToken);
        } catch (ServiceException e) {
            throw new ServletException(e);
        }
    }
    if (staleStateProtectionService.isEnabled()) {
        // Catch attempts to update form data from a stale page (i.e. a important state change has taken place for this session)
        if (request.getMethod().equals("POST") && !excludedRequestFound) {
            String requestToken = request.getParameter(staleStateProtectionService.getStateVersionTokenParameter());
            try {
                staleStateProtectionService.compareToken(requestToken);
            } catch (StaleStateServiceException e) {
                throw new ServletException(e);
            }
        }
    }
    chain.doFilter(request, response);
}