Package org.broadleafcommerce.common.security.service

Class StaleStateProtectionServiceImpl

java.lang.Object

org.broadleafcommerce.common.security.service.StaleStateProtectionServiceImpl

All Implemented Interfaces:

StaleStateProtectionService

@Service("blStaleStateProtectionService")
public class StaleStateProtectionServiceImpl
extends Object
implements StaleStateProtectionService

Author:

jfischer

See Also:

• StaleStateProtectionService

Field Summary

Fields

Modifier and Type	Field	Description
protected boolean	staleStateProtectionEnabled
static final String	STATECHANGENOTIFICATIONTOKEN
static final String	STATEVERSIONTOKEN
static final String	STATEVERSIONTOKENPARAMETER

Constructor Summary

Constructors

Constructor	Description
StaleStateProtectionServiceImpl()

Method Summary

Modifier and Type	Method	Description
void	compareToken(String passedToken)	Compare the state version token provided by the request to what is resident in the user session.
String	getStateVersionToken()	Retrieve the state version token resident in the user's session, or create one if it doesn't exist.
String	getStateVersionTokenParameter()	Retrieve the parameter key used to harvest the state version token value from the request
void	invalidateState()	Remove the current state version token in the user's session, if exists.
void	invalidateState(boolean notify)	Remove the current state version token in the user's session, if exists.
boolean	isEnabled()	Whether or not the protection provided by this service is active.
boolean	sendRedirectOnStateChange(jakarta.servlet.http.HttpServletResponse response, String... stateChangeParams)	Utility method to send a redirect for the current url with state change params cleared.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

STATEVERSIONTOKEN

public static final String STATEVERSIONTOKEN

See Also:

• Constant Field Values

STATECHANGENOTIFICATIONTOKEN

public static final String STATECHANGENOTIFICATIONTOKEN

See Also:

• Constant Field Values

STATEVERSIONTOKENPARAMETER

public static final String STATEVERSIONTOKENPARAMETER

See Also:

• Constant Field Values

staleStateProtectionEnabled

@Value("${stale.state.protection.enabled:false}")
protected boolean staleStateProtectionEnabled

Constructor Details

StaleStateProtectionServiceImpl

public StaleStateProtectionServiceImpl()

Method Details

compareToken

public void compareToken(String passedToken)

Description copied from interface: StaleStateProtectionService

Compare the state version token provided by the request to what is resident in the user session. If the tokens are not equal, the determination is made that the request is coming from a stale page and a StaleStateServiceException is emitted.

Specified by:

compareToken in interface StaleStateProtectionService

Parameters:

passedToken - the state version token from the request

getStateVersionToken

public String getStateVersionToken()

Description copied from interface: StaleStateProtectionService

Retrieve the state version token resident in the user's session, or create one if it doesn't exist.

Specified by:

getStateVersionToken in interface StaleStateProtectionService

Returns:

invalidateState

public void invalidateState()

Description copied from interface: StaleStateProtectionService

Remove the current state version token in the user's session, if exists. This usually occurs in response to a key state change.

Specified by:

invalidateState in interface StaleStateProtectionService

invalidateState

public void invalidateState(boolean notify)

Description copied from interface: StaleStateProtectionService

Remove the current state version token in the user's session, if exists. This usually occurs in response to a key state change.

Specified by:

invalidateState in interface StaleStateProtectionService

Parameters:

notify - Whether or not the request should be notified that state was invalidated. See StaleStateProtectionService.sendRedirectOnStateChange(HttpServletResponse, String...).

sendRedirectOnStateChange

public boolean sendRedirectOnStateChange(jakarta.servlet.http.HttpServletResponse response,
 String... stateChangeParams)
                                  throws IOException

Description copied from interface: StaleStateProtectionService

Utility method to send a redirect for the current url with state change params cleared. State change params are request url parameters that drive primary context change. For example, url parameters for sandbox, catalog and profile changes are considered state change params. When such a param is utilized, the state token is reset to represent the fundamental context change and is stored in session. However, it is now desirable to redirect the user to the target url without the state change params to avoid a subsequent check.

Specified by:

sendRedirectOnStateChange in interface StaleStateProtectionService

Parameters:

response - the current http response

stateChangeParams - any request parameter names being used by the system to drive state change

Returns:

whether or not a redirect was sent based on detection of an earlier call to StaleStateProtectionService.invalidateState()

Throws:

IOException

isEnabled

public boolean isEnabled()

Description copied from interface: StaleStateProtectionService

Whether or not the protection provided by this service is active.

Specified by:

isEnabled in interface StaleStateProtectionService

Returns:

getStateVersionTokenParameter

public String getStateVersionTokenParameter()

Description copied from interface: StaleStateProtectionService

Retrieve the parameter key used to harvest the state version token value from the request

Specified by:

getStateVersionTokenParameter in interface StaleStateProtectionService

Returns: