Package org.broadleafcommerce.common.security.service

Class ExploitProtectionServiceImpl

java.lang.Object

org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl

All Implemented Interfaces:

ExploitProtectionService

@Service("blExploitProtectionService")
public class ExploitProtectionServiceImpl
extends Object
implements ExploitProtectionService

Author:

jfischer

Field Summary

Fields

Modifier and Type	Field	Description
protected boolean	xsrfProtectionEnabled
protected boolean	xssProtectionEnabled

Constructor Summary

Constructors

Constructor	Description
ExploitProtectionServiceImpl()

Method Summary

Modifier and Type	Method	Description
String	cleanString(String string)	Detect and remove possible XSS threats from the passed in string.
String	cleanStringWithResults(String string)	Detect and remove possible XSS threats from the passed in string.
void	compareToken(String passedToken)	Detect possible XSRF attacks by comparing the csrf token included in the request against the true token for this user from the session.
String	getCSRFToken()
String	getCsrfTokenParameter()
String	htmlDecode(String value)
void	setXssProtectionEnabled(boolean xssProtectionEnabled)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

xsrfProtectionEnabled

@Value("${exploitProtection.xsrfEnabled:true}")
protected boolean xsrfProtectionEnabled

xssProtectionEnabled

@Value("${exploitProtection.xssEnabled:true}")
protected boolean xssProtectionEnabled

Constructor Details

ExploitProtectionServiceImpl

public ExploitProtectionServiceImpl()

Method Details

cleanString

public String cleanString(String string)
                   throws ServiceException

Description copied from interface: ExploitProtectionService

Detect and remove possible XSS threats from the passed in string. This includes <script> tags, and the like.

Specified by:

cleanString in interface ExploitProtectionService

Parameters:

string - The possibly dirty string

Returns:

The cleansed version of the string

Throws:

ServiceException

cleanStringWithResults

public String cleanStringWithResults(String string)
                              throws ServiceException

Description copied from interface: ExploitProtectionService

Detect and remove possible XSS threats from the passed in string. This includes <script> tags, and the like. If an html, validation, or security problem is detected, an exception is thrown. This method also emits well formed xml, which is important if using Thymeleaf to display the results.

Specified by:

cleanStringWithResults in interface ExploitProtectionService

Parameters:

string - The possibly dirty string

Returns:

The cleansed version of the string

Throws:

ServiceException

compareToken

public void compareToken(String passedToken)
                  throws ServiceException

Description copied from interface: ExploitProtectionService

Detect possible XSRF attacks by comparing the csrf token included in the request against the true token for this user from the session. If they are different, then the exception is thrown.

Specified by:

compareToken in interface ExploitProtectionService

Parameters:

passedToken - The csrf token that was passed in the request

Throws:

ServiceException

getCSRFToken

public String getCSRFToken()
                    throws ServiceException

Specified by:

getCSRFToken in interface ExploitProtectionService

Throws:

ServiceException

getCsrfTokenParameter

public String getCsrfTokenParameter()

Specified by:

getCsrfTokenParameter in interface ExploitProtectionService

htmlDecode

public String htmlDecode(String value)

Specified by:

htmlDecode in interface ExploitProtectionService

setXssProtectionEnabled

public void setXssProtectionEnabled(boolean xssProtectionEnabled)