Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Spring Security Filters

Spring Security Filters

Spring Security uses request filters to perform various security tasks. Request filters are XML elements in the Spring Security security.xml file, which is located in <Web App Source>/WEB-INF/conf/spring/security. Filters use the <intercept-url> element to define how Elastic Path Commerce handles certain URL patterns. For example:

<intercept-url pattern="/commerce-legacy/update-password.ep*" access="ROLE_CUSTOMER" requires-channel="https" />

In the filter above, anything matching URL pattern "/commerce-legacy/update-password.ep*" is directed to an HTTPS channel and requires the user to be logged in as "ROLE_CUSTOMER". Validation of the customer's role is performed by the authentication-manager in the security.xml. See Spring Security Authentication Manager for information on the authentication-manager. For more information on Spring Security, see http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html

Elastic Path Commerce uses the following pre-configured filters in the Store Front's Spring Security security.xml file:

            storefront/ep-storefront/src/main/resources/spring/security/security.xml
	
  <http>
    <intercept-url pattern="/commerce-legacy/*-account.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/manage-account.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/edit-account.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/create-address.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/*-address.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/*-credit-card*.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/order-details.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/checkout.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/check-out.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/delivery-options.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/billing-and-review.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/receipt.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/update-password.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/*password*.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/update-email.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/address-preference.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/print-receipt.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/sec-asset.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />

    <intercept-url pattern="/commerce-legacy/*sign-in.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/*signin.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/payer-authentication-return.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/search-gift-certificate.ep" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/check-gift-cert-balance.ep" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/commerce-legacy/j_acegi_security_check.ep" requires-channel="${ep.sf.secure.channel}" />

    <intercept-url pattern="/commerce-legacy/*.ep" requires-channel="http"  />
    <intercept-url pattern="/commerce-legacy/*.ep\?*" requires-channel="http" />
    <intercept-url pattern="/commerce-legacy/*.html" requires-channel="http" />
    <intercept-url pattern="/commerce-legacy/*.html\?*" requires-channel="http" />

Elastic Path Commerce uses the following pre-configured filters in the Commerce Manager Client's Spring Security security.xml file:

<intercept-url pattern="/commerce-legacy/assetImageController.remote*" access="ROLE_ANONYMOUS" requires-channel="${ep.cm.secure.channel}" />
<intercept-url pattern="/commerce-legacy/*remote" access="ROLE_SUPERUSER,ROLE_CMUSER" requires-channel="${ep.cm.secure.channel}" />
<intercept-url pattern="/commerce-legacy/*" requires-channel="${ep.cm.secure.channel}" />