enabled csrf

phasenraum2010 · phasenraum2010 · commit a8a1c486cd41 · 2015-12-13T08:58:15.000+01:00
diff --git a/src/main/resources/security-context.xml b/src/main/resources/security-context.xml
@@ -27,7 +27,7 @@
 				   disable-url-rewriting="false"
 				   auto-config="false">
 		<security:headers disabled="true"/>
-		<security:csrf disabled="true"/>
+		<security:csrf disabled="false"/>
 		<security:intercept-url pattern="/admin/login*" access="permitAll"/>
 		<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
 		<security:form-login
@@ -49,7 +49,7 @@
 				   disable-url-rewriting="false"
 				   auto-config="false">
 		<security:headers disabled="true"/>
-		<security:csrf disabled="true"/>
+		<security:csrf disabled="false"/>
     	<security:intercept-url pattern="/" access="permitAll"/>
     	<security:intercept-url pattern="/product/**" access="permitAll"/>
     	<security:intercept-url pattern="/manufacturer/**" access="permitAll"/>
@@ -70,7 +70,8 @@
 			login-processing-url="/j_spring_security_check"/>
     	<security:logout
 				logout-url="/j_spring_security_logout"
-				invalidate-session="true" delete-cookies="JSESSIONID" />
+				invalidate-session="true"
+				delete-cookies="JSESSIONID" />
 		<security:custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilterCustomer" />
   	</security:http>
 
diff --git a/src/main/webapp/WEB-INF/jsp/admin/login.jsp b/src/main/webapp/WEB-INF/jsp/admin/login.jsp
@@ -16,6 +16,9 @@
             </table>
             <c:url var="loginUrl" value="/admin/j_spring_security_check" />
             <form action="${loginUrl}" method="post">
+                <input type="hidden"
+                       name="${_csrf.parameterName}"
+                       value="${_csrf.token}"/>
                 <table border="0" width="100%" cellspacing="0" cellpadding="2">
                     <tr>
                         <td class="infoBoxContent">Username:<br /><input type="text" name="j_username" /></td>
diff --git a/src/main/webapp/WEB-INF/jsp/admin/page.jsp b/src/main/webapp/WEB-INF/jsp/admin/page.jsp
@@ -42,7 +42,14 @@
         <td class="headerBarContent" align="right">&nbsp;&nbsp;</td>
         </sec:authorize>
         <sec:authorize access="hasRole('ROLE_ADMIN')">
-        <td class="headerBarContent" align="right">Logged in as: admin (<a href='<c:url value="/admin/j_spring_security_logout"/>' class="headerLink">Logoff</a>)&nbsp;&nbsp;</td>
+        <td class="headerBarContent" align="right">Logged in as: admin (
+            <c:url var="logoutUrl" value="/admin/j_spring_security_logout"/>
+            <form action="${logoutUrl}" method="post">
+                <input type="hidden"
+                       name="${_csrf.parameterName}"
+                       value="${_csrf.token}"/>
+                <input class="headerLink" type="submit" value="Logoff"/>
+            </form>)&nbsp;&nbsp;</td>
         </sec:authorize>
     </tr>
 </table>
diff --git a/src/main/webapp/WEB-INF/jsp/login.jsp b/src/main/webapp/WEB-INF/jsp/login.jsp
@@ -28,7 +28,9 @@
 			<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>
 		</span>
 	</c:if>
-    
+      <input type="hidden"
+             name="${_csrf.parameterName}"
+             value="${_csrf.token}"/>
     <table border="0" cellspacing="0" cellpadding="2" width="100%">
       <tr>
         <td class="fieldKey">E-Mail Address:</td>
diff --git a/src/main/webapp/WEB-INF/layout/header.jsp b/src/main/webapp/WEB-INF/layout/header.jsp
@@ -17,7 +17,13 @@
         <script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-person"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script>
         <sec:authorize access="fullyAuthenticated">
             <span class="tdbLink">
-                <a id="tdb4" href='<c:url value="/j_spring_security_logout"/>'>Log Off</a>
+                <c:url var="logoutUrl" value="/j_spring_security_logout"/>
+                <form action="${logoutUrl}" method="post">
+                    <input type="hidden"
+                           name="${_csrf.parameterName}"
+                           value="${_csrf.token}"/>
+                    <input id="tdb4" type="submit" value="Log Off"/>
+                </form>
             </span>
             <script type="text/javascript">$("#tdb4").button().addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script>
         </sec:authorize>
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
@@ -45,13 +45,11 @@
 	  <url-pattern>/*</url-pattern>
 	</filter-mapping>
 
-	<!--
 	<listener>
     	<listener-class>
       		org.springframework.security.web.session.HttpSessionEventPublisher
     	</listener-class>
   	</listener>
--->
 
 	<!-- Processes application requests -->
 	<servlet>
