Cybersource Payment Module Documentation

Cybersource Secure Acceptance SOP Quick Start

Broadleaf Commerce offers an out-of-the-box Cybersource Secure Acceptance SOP solution that requires little configuration and is easily set up.

** You must have completed the Cybersource Secure Acceptance SOP Environment Setup before continuing **

Adding Cybersource Secure Acceptance SOP Checkout Support

  1. In your applicationContext-servlet.xml, add the component scan
    <context:component-scan base-package="com.broadleafcommerce.vendor.cybersource"/>
  1. In your core applicationContext.xml, replace the block of text
    <!-- Scan DemoSite Sample Payment Gateway Implementation -->
    <!-- /End DemoSite NullPaymentGateway Config -->


    <!-- Cybersource Secure Acceptance SOP -->
    <context:component-scan base-package="com.broadleafcommerce.payment.service.gateway"/>
    <context:component-scan base-package="com.broadleafcommerce.vendor.cybersource"/>
    <bean class="com.broadleafcommerce.vendor.cybersource.service.payment.CybersourcePaymentGatewayType"/>
    <bean class="org.broadleafcommerce.common.util.SpringAppContext"/>

    <!-- Add Sample Thymeleaf Processor to test Hosted Payment Gateway (e.g. PayPal Express Flow) -->
    <bean id="mySampleConfigurationServices" class="org.springframework.beans.factory.config.ListFactoryBean">
        <property name="sourceList">
               <ref bean="blCybersourcePaymentConfigurationService"/>
    <bean class="org.broadleafcommerce.common.extensibility.context.merge.LateStageMergeBeanPostProcessor">
        <property name="collectionRef" value="mySampleConfigurationServices"/>
        <property name="targetRef" value="blPaymentGatewayConfigurationServices"/>
  1. Exclude the cybersource URL from the CSRF token filter in your applicationContext-security.xml
    <bean id="blCsrfFilter" class="" >
        <property name="excludedRequestPatterns">


At this point, all the configuration should be complete and you are now ready to test your integration with CyberSource Secure Acceptance SOP. Add something to your cart and proceed with checkout.

Advanced Configuration: Creating and Updating Payment Tokens for Credit Cards and eChecks

This module also allows you to CREATE and UPDATE payment tokens utilizing the Transparent Redirect pattern provided by the CyberSource Secure Acceptance tokenization API's.

For example, you may wish to allows customers the ability to save payment methods in their account using Broadleaf's CustomerPayment entity.
To do that, all you need to do is create a page that utilizes the Transparent Redirect Credit Card Processor with the parameter config-create_payment_token="CREDIT_CARD".

    <blc:transparent_credit_card_form paymentRequestDTO="${customerPaymentDto}"

        <div class="form-group">
            <label>Card Holders Name</label>
            <input th:name="${#paymentGatewayField.mapName('creditCard.creditCardHolderName')}"
                   placeholder="Bill Broadleaf"
                   value="Bill Broadleaf"/>



Note: If you need to create a payment token for an eCheck, your parameter would be: config-create_payment_token="ELECTRONIC_CHECK".
Similarly, if you need to create a form to UPDATE a Credit Card, your parameter would be: config-update_payment_token="CREDIT_CARD"

Note: The default implementation assumes that the billing information is already on the payment dto passed into the processor. The only fields
that are unsigned are the Credit Card information. You can change this by overriding the blCybersourcePaymentTransparentRedirectService and change the
getUnsignedCardFields() to return the comma separated list of unsigned fields necessary for your implementation.

The Thymeleaf processor will create the necessary Transparent Redirect form with the hidden fields needed to create the token.
If the call to CyberSource was successful, it will redirect to the configured gateway.cybersource.secureAcceptance.paymentToken.create.returnUrl
which you will then need to provide an endpoint for to capture the response and process the results according to your business requirements.

For example, you may wish to create a controller that captures the response back from CyberSource in order to save the the token on a CustomerPayment for the currently
logged in customer. It may look something like this:

public class MyCustomerPaymentController {

    @Resource(name = "blCybersourcePaymentWebResponseService")
    protected PaymentGatewayWebResponseService webResponseService;

    @Resource(name = “blCustomerPaymentService”)
    protected CustomerPaymentService customerPaymentService;

    @RequestMapping(value = “/add-customer-payment")
    public String addCustomerPayment(Model model, HttpServletRequest request, RedirectAttributes redirectAttributes, Map<String, String> pathVars) throws PaymentException {
        PaymentResponseDTO responseDTO = webResponseService.translateWebResponse(request);

        if (!responseDTO.isValid || !responseDTO.isSuccess) {
                return getCustomerPaymentsDeclinedRedirect();

        Map<String,String> responseMap = responseDTO.getResponseMap();
        CustomerPayment payment = customerPaymentService.create();
        // parse responseMap according to how you want to construct the Customer Payment object;

        redirectAttributes.addFlashAttribute(successMessage, mySuccessMessage);
        return getCustomerPaymentsRedirect();