Package com.broadleafcommerce.auth.client.web.filter

Class ClientIdFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

com.broadleafcommerce.auth.client.web.filter.ClientIdFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class ClientIdFilter
extends org.springframework.web.filter.GenericFilterBean

This filter helps with the 3rd Party OAuth Server functionality, where this app is acting as an OAuth2 Client to a 3rd party OAuth service. This filter checks for a client_id request parameter and sets it as a request attribute, via the ContextHelperService. This filter works in tandem with the ContextHelperService. There are a few places in the 3rd party OAuth authentication flows where it is very helpful to have the blc client_id available on the RequestContext. For instance: When looking up a ClientRegistration, the DefaultBroadleafClientRegistrationRepository uses the client_id to look up the tenant_id, which is in turn used to filter the database query to find the appropriate OAuthClientRegistrationWrapper. It is necessary to use the RequestContext attribute because the ClientRegistrationRepository.findByRegistrationId(java.lang.String) method does not have access to the request. In order to preserve that interface, we use the RequestContext to hold the client_id. This preserves a lot of the Spring OAuth2 Client library functionality that would otherwise have to be customized if we customized the ClientRegistrationRepository interface. When a user is redirected back to this app after logging in with a 3rd party, that redirect does not contain the client_id parameter needed by the auth service. To address this gap, the BroadleafAuthorizationRequestRepository saves the client_id on the saved request before sending the user to the 3rd party login page. Then, when the user comes back from the 3rd party, BroadleafAuthorizationRequestRepository re-populates the client_id request attribute with the client_id from the saved request. This eventually gets put on a BroadleafOAuthClientAuthenticationDetails, which is used in the DefaultSessionAuthenticationStrategy to create a user and session cookie with the appropriate client id.

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
ClientIdFilter()

Method Summary

Modifier and Type	Method	Description
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ClientIdFilter

public ClientIdFilter()

Method Details

doFilter

public void doFilter(javax.servlet.ServletRequest request,
 javax.servlet.ServletResponse response,
 javax.servlet.FilterChain chain)
              throws IOException,
javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException