Class ClientIdFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
com.broadleafcommerce.auth.client.web.filter.ClientIdFilter
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class ClientIdFilter
extends org.springframework.web.filter.GenericFilterBean
This filter helps with the 3rd Party OAuth Server functionality, where this app is acting as an
OAuth2 Client to a 3rd party OAuth service.
This filter checks for a client_id request parameter and sets it as a request attribute, via the
ContextHelperService
.
This filter works in tandem with the ContextHelperService
. There are a few places in the
3rd party OAuth authentication flows where it is very helpful to have the blc client_id available
on the RequestContext.
For instance:
When looking up a ClientRegistration
, the
DefaultBroadleafClientRegistrationRepository
uses the client_id to look up the tenant_id,
which is in turn used to filter the database query to find the appropriate
OAuthClientRegistrationWrapper
. It is necessary to use the RequestContext attribute
because the ClientRegistrationRepository.findByRegistrationId(java.lang.String)
method
does not have access to the request. In order to preserve that interface, we use the
RequestContext to hold the client_id. This preserves a lot of the Spring OAuth2 Client library
functionality that would otherwise have to be customized if we customized the
ClientRegistrationRepository
interface.
When a user is redirected back to this app after logging in with a 3rd party, that redirect does
not contain the client_id parameter needed by the auth service. To address this gap, the
BroadleafAuthorizationRequestRepository
saves the client_id on the saved request before
sending the user to the 3rd party login page. Then, when the user comes back from the 3rd party,
BroadleafAuthorizationRequestRepository
re-populates the client_id request attribute with
the client_id from the saved request. This eventually gets put on a
BroadleafOAuthClientAuthenticationDetails
, which is used in the
DefaultSessionAuthenticationStrategy
to create a user and session cookie with the
appropriate client id.-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
doFilter
(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
ClientIdFilter
public ClientIdFilter()
-
-
Method Details
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException - Throws:
IOException
javax.servlet.ServletException
-