Reworked CAE security configuration API

Reworked CAE security configuration API. Turned com.coremedia.cae.security.CaeHttpSecurityConfigurer into an abstract class and removed the former caeHttpSecurityConfigurer bean of type com.coremedia.cae.security.CaeHttpSecurityConfigurer. The aspects formerly configured by that bean are now configured along with the securityFilterChain bean.

(CMS-24585)

Remove RequestRejectedExceptionFilter

The com.coremedia.blueprint.cae.filter.RequestRejectedExceptionFilter has been removed. It was a workaround for the issue RequestRejectedException should be 400 by default #7568 that has been fixed with Spring 6.

(CMS-24219)

Remove Commerce Context Interceptors

Class com.coremedia.blueprint.livecontext.ecommerce.filter.CommerceConnectionFilter now incorporates the concerns that were previously scattered amongst the commerce context interceptors. It resolves the requested site, performs a commerce connection lookup and then initializes the commerce contexts. The filter uses site lookup functions with signature Function<ServletRequest, Optional<Site>> to resolve the requested site and provides the interface com.coremedia.blueprint.livecontext.ecommerce.filter.CommerceContextsInitializer for initialization or post processing of commerce contexts. The former commerce context interceptor code concerned with initialization of store context and user context has been moved to com.coremedia.livecontext.handler.FragmentCommerceContextsInitializer. The following classes have been removed:

(CMS-24213)

Transformed Blob Cache Requires Writeable Base Directory

The bean transformedBlobCache of type com.coremedia.transform.impl.TransformedBlobCache now validates the configured base path (configuration option com.coremedia.transform.blobCache.basePath) and throws an exception if it finds that the base path is not a writeable directory in which it can cache and rotate temporary files holding the transformed blob data.

(CMS-24132)

Configured Content Security Policy for Live CAE

CAE HTTP security now supports configuration of the Content-Security-Policy response header via cae.http-headers.csp.directives. It has been set to a same-origin-only policy as recommended by the OWASP CSP cheat sheet. The Spring dev profile configures report-only mode for Live CAE and disables CSP for the Preview CAE.

Follow Section, “Configured Content Security Policy for Live CAE” for upgrade information.

(CMS-23644)

Changed Site Resolution of Requests

SiteFilter now matches request paths against configurable patterns to derive the requested site. This is much more efficient than the previous strategy which simply checked every path segment if it matched one of the segments of the known site root navigations. The new strategy is to take a list of patterns to check if the current request URI paths contains a site segment, then check the first path segment after the dispatcher servlet segment if it is site segment but exclude a list of known prefixes. The list of path patterns that have a site segment in it is configured via cae.site.patterns and the list of known non-site path prefixes is configured via cae.site.ignore-prefix-patterns. The former SiteFilter behavior can be restored by setting both properties to empty values. Configure cae.site.collect-non-matching-paths=true to collect non matching paths to support debugging your SiteFilter config. This setting is enabled in the dev profile for your convenience.

(CMS-23583)