org.broadleafcommerce.profile.core.service

Class CustomerServiceImpl

java.lang.Object

org.broadleafcommerce.profile.core.service.CustomerServiceImpl

All Implemented Interfaces:

CustomerService

@Service(value="blCustomerService")
public class CustomerServiceImpl
extends Object
implements CustomerService

Field Summary

Fields

Modifier and Type	Field and Description
protected EmailInfo	changePasswordEmailInfo
protected CustomerDao	customerDao
protected CustomerForgotPasswordSecurityTokenDao	customerForgotPasswordSecurityTokenDao
protected EmailService	emailService
protected EmailInfo	forgotPasswordEmailInfo
protected EmailInfo	forgotUsernameEmailInfo
protected IdGenerationService	idGenerationService
protected List<PasswordUpdatedHandler>	passwordChangedHandlers
protected org.springframework.security.authentication.encoding.PasswordEncoder	passwordEncoder Deprecated. Spring Security has deprecated this encoder interface, this will be removed in 4.2
protected Object	passwordEncoderBean This is simply a placeholder to be used by setupPasswordEncoder() to determine if we're using the new PasswordEncoder or the deprecated PasswordEncoder
protected org.springframework.security.crypto.password.PasswordEncoder	passwordEncoderNew Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the new version.
protected List<PasswordUpdatedHandler>	passwordResetHandlers
protected int	passwordTokenLength
protected List<PostRegistrationObserver>	postRegisterListeners
protected EmailInfo	registrationEmailInfo
protected RoleDao	roleDao
protected String	salt Deprecated. utilize saltSource instead so that it can be shared between this class as well as Spring's authentication manager, this will be removed in 4.2
protected org.springframework.security.authentication.dao.SaltSource	saltSource Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
protected int	tokenExpiredMinutes

Constructor Summary

Constructors

Constructor and Description
CustomerServiceImpl()

Method Summary

Modifier and Type	Method and Description
void	addPostRegisterListener(PostRegistrationObserver postRegisterListeners)
Customer	changePassword(PasswordChange passwordChange)
protected void	checkCustomer(Customer customer, GenericResponse response)
protected void	checkPassword(String password, String confirmPassword, GenericResponse response)
GenericResponse	checkPasswordResetToken(String token) Deprecated.
GenericResponse	checkPasswordResetToken(String token, Customer customer) Verifies that a customer has a valid token.
protected CustomerForgotPasswordSecurityToken	checkPasswordResetToken(String token, Customer customer, GenericResponse response)
Customer	createCustomer()
Customer	createCustomerFromId(Long customerId) Returns a Customer by first looking in the database, otherwise creating a new non-persisted Customer
Customer	createNewCustomer() Returns a non-persisted Customer.
void	createRegisteredCustomerRoles(Customer customer) Subclassed implementations can assign unique roles for various customer types
void	deleteCustomer(Customer customer) Delete the customer entity from the persistent store
protected String	encodePass(String rawPassword, Object salt) Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
String	encodePassword(String rawPassword) Encodes the clear text parameter, using the salt provided by PasswordEncoder.
String	encodePassword(String rawPassword, Customer customer) Deprecated.
Long	findNextCustomerId() Allow customers to call from subclassed service.
protected String	generateSecurePassword()
EmailInfo	getChangePasswordEmailInfo()
EmailInfo	getForgotPasswordEmailInfo()
EmailInfo	getForgotUsernameEmailInfo()
List<PasswordUpdatedHandler>	getPasswordChangedHandlers()
List<PasswordUpdatedHandler>	getPasswordResetHandlers()
int	getPasswordTokenLength()
EmailInfo	getRegistrationEmailInfo()
String	getSalt() Deprecated.
Object	getSalt(Customer customer) Deprecated.
Object	getSalt(Customer customer, String unencodedPassword) Deprecated.
org.springframework.security.authentication.dao.SaltSource	getSaltSource() Deprecated.
int	getTokenExpiredMinutes()
protected void	invalidateAllTokensForCustomer(Customer customer)
protected boolean	isPassValid(String rawPassword, String encodedPassword, Object salt) Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
boolean	isPasswordValid(String rawPassword, String encodedPassword) Determines if a password is valid by comparing it to the encoded string, salting is handled internally to the PasswordEncoder.
boolean	isPasswordValid(String rawPassword, String encodedPassword, Customer customer) Deprecated.
protected boolean	isTokenExpired(CustomerForgotPasswordSecurityToken fpst)
protected void	notifyPostRegisterListeners(Customer customer)
Customer	readCustomerByEmail(String emailAddress)
Customer	readCustomerById(Long id)
Customer	readCustomerByUsername(String username)
Customer	readCustomerByUsername(String username, Boolean cacheable)
Customer	registerCustomer(Customer customer, String password, String passwordConfirm)
void	removePostRegisterListener(PostRegistrationObserver postRegisterListeners)
Customer	resetPassword(PasswordReset passwordReset)
GenericResponse	resetPasswordUsingToken(String username, String token, String password, String confirmPassword) Updates the password for the passed in customer only if the passed in token is valid for that customer.
Customer	saveCustomer(Customer customer)
Customer	saveCustomer(Customer customer, boolean register)
GenericResponse	sendForgotPasswordNotification(String username, String resetPasswordUrl) Generates an access token and then emails the user.
GenericResponse	sendForgotUsernameNotification(String emailAddress) Looks up the corresponding Customer and emails the address on file with the associated username.
void	setChangePasswordEmailInfo(EmailInfo changePasswordEmailInfo)
void	setCustomerDao(CustomerDao customerDao)
void	setForgotPasswordEmailInfo(EmailInfo forgotPasswordEmailInfo)
void	setForgotUsernameEmailInfo(EmailInfo forgotUsernameEmailInfo)
void	setPasswordChangedHandlers(List<PasswordUpdatedHandler> passwordChangedHandlers)
void	setPasswordEncoder(Object passwordEncoder) Set the passwordEncoder to be used by this class.
void	setPasswordResetHandlers(List<PasswordUpdatedHandler> passwordResetHandlers)
void	setPasswordTokenLength(int passwordTokenLength)
void	setRegistrationEmailInfo(EmailInfo registrationEmailInfo)
void	setSalt(String salt) Deprecated.
void	setSaltSource(org.springframework.security.authentication.dao.SaltSource saltSource) Deprecated.
void	setTokenExpiredMinutes(int tokenExpiredMinutes)
protected void	setupPasswordEncoder() Sets either passwordEncoder or passwordEncoderNew based on the type of passwordEncoderBean in order to provide bean configuration backwards compatibility with the deprecated PasswordEncoder bean.
protected boolean	usingDeprecatedPasswordEncoder() Deprecated.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

customerDao

protected CustomerDao customerDao

idGenerationService

protected IdGenerationService idGenerationService

customerForgotPasswordSecurityTokenDao

protected CustomerForgotPasswordSecurityTokenDao customerForgotPasswordSecurityTokenDao

passwordEncoder

@Deprecated
protected org.springframework.security.authentication.encoding.PasswordEncoder passwordEncoder

Deprecated. Spring Security has deprecated this encoder interface, this will be removed in 4.2

Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the deprecated version.

passwordEncoderNew

protected org.springframework.security.crypto.password.PasswordEncoder passwordEncoderNew

Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the new version.

passwordEncoderBean

protected Object passwordEncoderBean

This is simply a placeholder to be used by setupPasswordEncoder() to determine if we're using the new PasswordEncoder or the deprecated PasswordEncoder

salt

@Deprecated
protected String salt

Deprecated. utilize saltSource instead so that it can be shared between this class as well as Spring's authentication manager, this will be removed in 4.2

Optional password salt to be used with the passwordEncoder

saltSource

@Deprecated
 @Autowired(required=false)
 @Qualifier(value="blSaltSource")
protected org.springframework.security.authentication.dao.SaltSource saltSource

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Use a Salt Source ONLY if there's one configured

roleDao

protected RoleDao roleDao

emailService

protected EmailService emailService

forgotPasswordEmailInfo

protected EmailInfo forgotPasswordEmailInfo

forgotUsernameEmailInfo

protected EmailInfo forgotUsernameEmailInfo

registrationEmailInfo

protected EmailInfo registrationEmailInfo

changePasswordEmailInfo

protected EmailInfo changePasswordEmailInfo

tokenExpiredMinutes

protected int tokenExpiredMinutes

passwordTokenLength

protected int passwordTokenLength

postRegisterListeners

protected final List<PostRegistrationObserver> postRegisterListeners

passwordResetHandlers

protected List<PasswordUpdatedHandler> passwordResetHandlers

passwordChangedHandlers

protected List<PasswordUpdatedHandler> passwordChangedHandlers

Constructor Detail

CustomerServiceImpl

public CustomerServiceImpl()

Method Detail

setupPasswordEncoder

@PostConstruct
protected void setupPasswordEncoder()

Sets either passwordEncoder or passwordEncoderNew based on the type of passwordEncoderBean in order to provide bean configuration backwards compatibility with the deprecated PasswordEncoder bean.

passwordEncoderBean is set by the bean defined as "blPasswordEncoder" and can be changed with setPasswordEncoder(Object).

This class will utilize either the new or deprecated PasswordEncoder type depending on which is not null.

Throws:

org.springframework.beans.factory.NoSuchBeanDefinitionException - if passwordEncoderBean is null or not an instance of either PasswordEncoder

saveCustomer

@Transactional(value="blTransactionManager")
public Customer saveCustomer(Customer customer)

Specified by:

saveCustomer in interface CustomerService

saveCustomer

@Transactional(value="blTransactionManager")
public Customer saveCustomer(Customer customer,
                                                                          boolean register)

Specified by:

saveCustomer in interface CustomerService

generateSecurePassword

protected String generateSecurePassword()

registerCustomer

@Transactional(value="blTransactionManager")
public Customer registerCustomer(Customer customer,
                                                                              String password,
                                                                              String passwordConfirm)

Specified by:

registerCustomer in interface CustomerService

createRegisteredCustomerRoles

public void createRegisteredCustomerRoles(Customer customer)

Description copied from interface: CustomerService

Subclassed implementations can assign unique roles for various customer types

Specified by:

createRegisteredCustomerRoles in interface CustomerService

Parameters:

customer - Customer to create roles for

readCustomerByEmail

public Customer readCustomerByEmail(String emailAddress)

Specified by:

readCustomerByEmail in interface CustomerService

changePassword

@Transactional(value="blTransactionManager")
public Customer changePassword(PasswordChange passwordChange)

Specified by:

changePassword in interface CustomerService

resetPassword

@Transactional(value="blTransactionManager")
public Customer resetPassword(PasswordReset passwordReset)

Specified by:

resetPassword in interface CustomerService

addPostRegisterListener

public void addPostRegisterListener(PostRegistrationObserver postRegisterListeners)

Specified by:

addPostRegisterListener in interface CustomerService

removePostRegisterListener

public void removePostRegisterListener(PostRegistrationObserver postRegisterListeners)

Specified by:

removePostRegisterListener in interface CustomerService

notifyPostRegisterListeners

protected void notifyPostRegisterListeners(Customer customer)

createCustomer

public Customer createCustomer()

Specified by:

createCustomer in interface CustomerService

createCustomerFromId

public Customer createCustomerFromId(Long customerId)

Description copied from interface: CustomerService

Returns a Customer by first looking in the database, otherwise creating a new non-persisted Customer

Specified by:

createCustomerFromId in interface CustomerService

Parameters:

customerId - the id of the customer to lookup

findNextCustomerId

public Long findNextCustomerId()

Description copied from interface: CustomerService

Allow customers to call from subclassed service.

Specified by:

findNextCustomerId in interface CustomerService

Returns:

the next customerId to be used

createNewCustomer

public Customer createNewCustomer()

Description copied from interface: CustomerService

Returns a non-persisted Customer. Typically used with registering a new customer.

Specified by:

createNewCustomer in interface CustomerService

deleteCustomer

public void deleteCustomer(Customer customer)

Description copied from interface: CustomerService

Delete the customer entity from the persistent store

Specified by:

deleteCustomer in interface CustomerService

Parameters:

customer - the customer entity to remove

readCustomerByUsername

public Customer readCustomerByUsername(String username)

Specified by:

readCustomerByUsername in interface CustomerService

readCustomerByUsername

public Customer readCustomerByUsername(String username,
                                       Boolean cacheable)

Specified by:

readCustomerByUsername in interface CustomerService

readCustomerById

public Customer readCustomerById(Long id)

Specified by:

readCustomerById in interface CustomerService

setCustomerDao

public void setCustomerDao(CustomerDao customerDao)

setPasswordEncoder

public void setPasswordEncoder(Object passwordEncoder)

Set the passwordEncoder to be used by this class.

This method will indirectly set one of the two PasswordEncoder member variables, depending on its type by calling setupPasswordEncoder()

Parameters:

passwordEncoder - Either Spring Security's new PasswordEncoder, or the deprecated PasswordEncoder

getSalt

@Deprecated
public Object getSalt(Customer customer)

Deprecated.

Specified by:

getSalt in interface CustomerService

getSalt

@Deprecated
public Object getSalt(Customer customer,
                                  String unencodedPassword)

Deprecated.

Description copied from interface: CustomerService

Gets the salt object for the current customer. By default this delegates to CustomerService.getSaltSource(). If there is not a SaltSource configured (CustomerService.getSaltSource() returns null) then this also returns null.

Specified by:

getSalt in interface CustomerService

Parameters:

customer - the Customer to get UserDetails from

unencodedPassword - the unencoded password

Returns:

the salt for the current customer

encodePass

@Deprecated
protected String encodePass(String rawPassword,
                                        Object salt)

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Delegates to either the new PasswordEncoder or the deprecated PasswordEncoder.

Parameters:

rawPassword - the unencoded password

salt - the optional salt

Returns:

encodePassword

@Deprecated
public String encodePassword(String rawPassword,
                                         Customer customer)

Deprecated.

Description copied from interface: CustomerService

Encodes the clear text parameter, using the customer as a potential Salt. Does not change the customer properties. This method only encodes the password and returns the encoded result.

The externally salted PasswordEncoder support is being deprecated, following in Spring Security's footsteps, in order to move towards self salting hashing algorithms such as bcrypt. Bcrypt is a superior hashing algorithm that randomly generates a salt per password in order to protect against rainbow table attacks and is an intentionally expensive algorithm to further guard against brute force attempts to crack hashed passwords. Additionally, having the encoding algorithm handle the salt internally reduces code complexity and dependencies such as SaltSource.

Specified by:

encodePassword in interface CustomerService

Parameters:

rawPassword - the unencoded password

customer - the Customer to use for the salt

Returns:

the encoded password

encodePassword

public String encodePassword(String rawPassword)

Description copied from interface: CustomerService

Encodes the clear text parameter, using the salt provided by PasswordEncoder. Does not change the customer properties. This method only encodes the password and returns the encoded result.

This method can only be called once per password. The salt is randomly generated internally in the PasswordEncoder and appended to the hash to provide the resulting encoded password. Once this has been called on a password, going forward all checks for authenticity must be done by CustomerService.isPasswordValid(String, String) as encoding the same password twice will result in different encoded passwords.

Specified by:

encodePassword in interface CustomerService

Parameters:

rawPassword - the unencoded password

Returns:

the encoded password

isPassValid

@Deprecated
protected boolean isPassValid(String rawPassword,
                                          String encodedPassword,
                                          Object salt)

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Delegates to either the new PasswordEncoder or the deprecated PasswordEncoder.

Parameters:

rawPassword - the unencoded password

encodedPassword - the encoded password to compare rawPassword against

salt - the optional salt

Returns:

isPasswordValid

@Deprecated
public boolean isPasswordValid(String rawPassword,
                                           String encodedPassword,
                                           Customer customer)

Deprecated.

Description copied from interface: CustomerService

Use this to determine if passwords match using a Customer for salting. Don't encode the password separately since sometimes salts are generated randomly and stored with the password.

The externally salted PasswordEncoder support is being deprecated, following in Spring Security's footsteps, in order to move towards self salting hashing algorithms such as bcrypt. Bcrypt is a superior hashing algorithm that randomly generates a salt per password in order to protect against rainbow table attacks and is an intentionally expensive algorithm to further guard against brute force attempts to crack hashed passwords. Additionally, having the encoding algorithm handle the salt internally reduces code complexity and dependencies such as SaltSource.

Specified by:

isPasswordValid in interface CustomerService

Parameters:

rawPassword - the unencoded password

encodedPassword - the encoded password to compare against

customer - the Customer to use for the salt

Returns:

true if the unencoded password matches the encoded password, false otherwise

isPasswordValid

public boolean isPasswordValid(String rawPassword,
                               String encodedPassword)

Description copied from interface: CustomerService

Determines if a password is valid by comparing it to the encoded string, salting is handled internally to the PasswordEncoder.

This method must always be called to verify if a password is valid after the original encoded password is generated due to PasswordEncoder randomly generating salts internally and appending them to the resulting hash.

Specified by:

isPasswordValid in interface CustomerService

Parameters:

rawPassword - the unencoded password

encodedPassword - the encoded password to compare against

Returns:

true if the unencoded password matches the encoded password, false otherwise

getSalt

@Deprecated
public String getSalt()

Deprecated.

Specified by:

getSalt in interface CustomerService

Returns:

currently used salt string

setSalt

@Deprecated
public void setSalt(String salt)

Deprecated.

Specified by:

setSalt in interface CustomerService

Parameters:

salt - new salt string to use

getSaltSource

@Deprecated
public org.springframework.security.authentication.dao.SaltSource getSaltSource()

Deprecated.

Description copied from interface: CustomerService

Returns the SaltSource used with the blPasswordEncoder to encrypt the user password. Usually configured in applicationContext-security.xml. This is not a required property and will return null if not configured

Specified by:

getSaltSource in interface CustomerService

Returns:

the currently used SaltSource

setSaltSource

@Deprecated
public void setSaltSource(org.springframework.security.authentication.dao.SaltSource saltSource)

Deprecated.

Description copied from interface: CustomerService

Sets the SaltSource used with blPasswordEncoder to encrypt the user password. Usually configured within applicationContext-security.xml

Specified by:

setSaltSource in interface CustomerService

Parameters:

saltSource - the new SaltSource to use

getPasswordResetHandlers

public List<PasswordUpdatedHandler> getPasswordResetHandlers()

Specified by:

getPasswordResetHandlers in interface CustomerService

setPasswordResetHandlers

public void setPasswordResetHandlers(List<PasswordUpdatedHandler> passwordResetHandlers)

Specified by:

setPasswordResetHandlers in interface CustomerService

getPasswordChangedHandlers

public List<PasswordUpdatedHandler> getPasswordChangedHandlers()

Specified by:

getPasswordChangedHandlers in interface CustomerService

setPasswordChangedHandlers

public void setPasswordChangedHandlers(List<PasswordUpdatedHandler> passwordChangedHandlers)

Specified by:

setPasswordChangedHandlers in interface CustomerService

sendForgotUsernameNotification

@Transactional(value="blTransactionManager")
public GenericResponse sendForgotUsernameNotification(String emailAddress)

Description copied from interface: CustomerService

Looks up the corresponding Customer and emails the address on file with the associated username.

Specified by:

sendForgotUsernameNotification in interface CustomerService

Parameters:

emailAddress - user's email address

Returns:

Response can contain errors including (notFound)

sendForgotPasswordNotification

@Transactional(value="blTransactionManager")
public GenericResponse sendForgotPasswordNotification(String username,
                                                                                                   String resetPasswordUrl)

Description copied from interface: CustomerService

Generates an access token and then emails the user.

Specified by:

sendForgotPasswordNotification in interface CustomerService

Parameters:

username - - the user to send a reset password email to.

resetPasswordUrl - - Base url to include in the email.

Returns:

Response can contain errors including (invalidEmail, invalidUsername, inactiveUser)

checkPasswordResetToken

@Deprecated
public GenericResponse checkPasswordResetToken(String token)

Deprecated.

Description copied from interface: CustomerService

Verifies that the passed in token is valid.

This method can only be used when using the deprecated PasswordEncoder bean, otherwise an exception will be thrown. The new PasswordEncoder bean requires passing in a Customer to find the appropriate token.

Specified by:

checkPasswordResetToken in interface CustomerService

Parameters:

token - password reset token

Returns:

Response can contain errors including (invalidToken, tokenUsed, and tokenExpired)

checkPasswordResetToken

public GenericResponse checkPasswordResetToken(String token,
                                               Customer customer)

Description copied from interface: CustomerService

Verifies that a customer has a valid token.

Specified by:

checkPasswordResetToken in interface CustomerService

Parameters:

token - password reset token

customer - Customer who owns the token

Returns:

Response can contain errors including (invalidToken, tokenUsed, and tokenExpired)

checkPasswordResetToken

protected CustomerForgotPasswordSecurityToken checkPasswordResetToken(String token,
                                                                      Customer customer,
                                                                      GenericResponse response)

resetPasswordUsingToken

@Transactional(value="blTransactionManager")
public GenericResponse resetPasswordUsingToken(String username,
                                                                                            String token,
                                                                                            String password,
                                                                                            String confirmPassword)

Description copied from interface: CustomerService

Updates the password for the passed in customer only if the passed in token is valid for that customer.

Specified by:

resetPasswordUsingToken in interface CustomerService

Parameters:

username - Username of the customer

token - Valid reset token

password - new password

Returns:

Response can contain errors including (invalidUsername, inactiveUser, invalidToken, invalidPassword, tokenExpired)

invalidateAllTokensForCustomer

protected void invalidateAllTokensForCustomer(Customer customer)

checkCustomer

protected void checkCustomer(Customer customer,
                             GenericResponse response)

checkPassword

protected void checkPassword(String password,
                             String confirmPassword,
                             GenericResponse response)

isTokenExpired

protected boolean isTokenExpired(CustomerForgotPasswordSecurityToken fpst)

getTokenExpiredMinutes

public int getTokenExpiredMinutes()

setTokenExpiredMinutes

public void setTokenExpiredMinutes(int tokenExpiredMinutes)

getPasswordTokenLength

public int getPasswordTokenLength()

setPasswordTokenLength

public void setPasswordTokenLength(int passwordTokenLength)

getForgotPasswordEmailInfo

public EmailInfo getForgotPasswordEmailInfo()

setForgotPasswordEmailInfo

public void setForgotPasswordEmailInfo(EmailInfo forgotPasswordEmailInfo)

getForgotUsernameEmailInfo

public EmailInfo getForgotUsernameEmailInfo()

setForgotUsernameEmailInfo

public void setForgotUsernameEmailInfo(EmailInfo forgotUsernameEmailInfo)

getRegistrationEmailInfo

public EmailInfo getRegistrationEmailInfo()

setRegistrationEmailInfo

public void setRegistrationEmailInfo(EmailInfo registrationEmailInfo)

getChangePasswordEmailInfo

public EmailInfo getChangePasswordEmailInfo()

setChangePasswordEmailInfo

public void setChangePasswordEmailInfo(EmailInfo changePasswordEmailInfo)

usingDeprecatedPasswordEncoder

@Deprecated
protected boolean usingDeprecatedPasswordEncoder()

Deprecated.