Skip to content

GitLab

Genesys Backend
Genesys Backend
Commit fd0b5516 authored by Nick Martynenko's avatar Nick Martynenko Committed by Matija Obreza
Browse files
Options

CSRF

parent 77a3b7c6
Hide whitespace changes
Inline Side-by-side
Showing with 123 additions and 17 deletions
pom.xml
View file @ fd0b5516
......@@ -55,8 +55,8 @@
<log4j.version>1.2.17</log4j.version>
<aspectj.version>1.7.2</aspectj.version>
<spring.framework.version>3.2.5.RELEASE</spring.framework.version>
<spring.security.version>3.1.4.RELEASE</spring.security.version>
<spring.framework.version>3.2.7.RELEASE</spring.framework.version>
<spring.security.version>3.2.1.RELEASE</spring.security.version>
<spring.security.oauth2.version>1.0.5.RELEASE</spring.security.oauth2.version>
<spring.data.core.version>1.5.1.RELEASE</spring.data.core.version>
<spring.data.jpa.version>1.3.5.RELEASE</spring.data.jpa.version>
......@@ -100,11 +100,19 @@
<name>Releases</name>
<url>https://oss.sonatype.org/content/repositories/releases</url>
</repository>
<!-- <repository> <id>sonatype mirror</id> <url>http://search.maven.org/remotecontent?filepath=</url>
</repository> -->
<repository>
<id>sonatype mirror</id>
<url>http://search.maven.org/remotecontent?filepath=</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>sonatype mirror</id>
<url>http://search.maven.org/remotecontent?filepath=</url>
</pluginRepository>
</pluginRepositories>
<dependencies>
<!--Test dependencies -->
<dependency>
......@@ -248,12 +256,6 @@
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
......
src/main/resources/spring/spring-security-oauth.xml
View file @ fd0b5516
......@@ -18,7 +18,7 @@
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
......
src/main/resources/spring/spring-security.xml
View file @ fd0b5516
......@@ -18,7 +18,7 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
......@@ -60,6 +60,9 @@
<sec:access-denied-handler error-page="/access-denied" />
<sec:expression-handler ref="webExpressionHandler"/>
<!--enable CSRF protection-->
<sec:csrf />
</sec:http>
</beans>
src/main/webapp/WEB-INF/decorator/entry.jsp
View file @ fd0b5516
......@@ -10,6 +10,11 @@
<meta name="description" content="" />
<meta name="author" content="" />
<!-- CSRF protection-->
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<title><sitemesh:write property="title" /></title>
<!-- Custom styles for this template -->
......
src/main/webapp/WEB-INF/decorator/footer.jsp
View file @ fd0b5516
......@@ -90,4 +90,13 @@
$('#nav-main').hide('slow');
});
//CSRF protection
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
</script>
src/main/webapp/WEB-INF/decorator/header.jsp
View file @ fd0b5516
......@@ -40,6 +40,8 @@
<span class="or">-</span>
<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
<a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</li>
</ul>
......@@ -118,6 +120,9 @@
<span class="or">-</span>
<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
<a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</li>
</ul>
......
src/main/webapp/WEB-INF/decorator/main.jsp
View file @ fd0b5516
......@@ -9,9 +9,15 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="description" content="" />
<meta name="author" content="" />
<!--
<link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
-->
<!-- CSRF protection-->
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<!--
<link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
-->
<title><sitemesh:write property="title" /></title>
......
src/main/webapp/WEB-INF/jsp/admin/index.jsp
View file @ fd0b5516
......@@ -15,12 +15,18 @@
<h3>Country data</h3>
<form method="post" action="<c:url value="/admin/refreshCountries" />">
<input type="submit" class="btn btn-default" value="Refresh country data" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateAlternateNames" />">
<input type="submit" class="btn btn-default" value="Update alternate GEO names" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateITPGRFA" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update country ITPGRFA status" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
......@@ -28,43 +34,63 @@
<h3>WIEWS</h3>
<form method="post" action="<c:url value="/admin/refreshWiews" />">
<input type="submit" class="btn btn-default" value="Refresh WIEWS data" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Svalbard Global Seed Vault</h3>
<form method="post" action="<c:url value="/admin/updateSGSV" />">
<input type="submit" class="btn btn-default" value="Update SGSV" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/importSGSV" />">
<input type="submit" class="btn btn-default" value="Import SGSV" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Accession</h3>
<form method="post" action="<c:url value="/admin/updateAccessionCountryRefs" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update accession country info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateInstituteCountryRefs" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update WIEWS country info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateAccessionInstituteRefs" />">
<input type="submit" class="btn btn-default" value="Update accession institute info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/convertNames" />">
<input type="submit" class="btn btn-default" value="Convert old names to aliases" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>C&E</h3>
<form method="post" action="<c:url value="/admin/refreshMetadataMethods" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Recalculate metadata methods" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Content</h3>
<form method="post" action="<c:url value="/admin/sanitize" />">
<input type="submit" class="btn btn-default" value="Sanitize HTML content" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Full-text Search</h3>
<form method="post" action="<c:url value="/admin/reindexEverything" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Reindex search indexes" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/reindexEntity" />">
......@@ -76,6 +102,8 @@
<option value="org.genesys2.server.model.impl.Organization">Organizations</option>
<option value="org.genesys2.server.model.genesys.Accession">Accessions</option>
</select> <input type="submit" class="btn btn-default" value="Reindex search indexes" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/admin/oauth/client/edit.jsp
View file @ fd0b5516
......@@ -24,6 +24,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/content/activitypost-edit.jsp
View file @ fd0b5516
......@@ -37,7 +37,9 @@
<a class="btn btn-default" href="<c:url value="/content/activitypost/${activityPost.id}/delete" />"><spring:message code="delete" /></a>
</c:if>
<a class="btn btn-default" href="<c:url value="/" />"><spring:message code="cancel" /></a>
</form>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
<script type="text/javascript" src="/html/js/tinymce/tinymce.min.js"></script>
......
src/main/webapp/WEB-INF/jsp/content/article-edit.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
<input type="submit" value="<spring:message code="save"/>" class="btn btn-primary" />
<a href="<c:url value="${article.id ne null ? '/content/'.concat(article.slug) : '/' }" />" class="btn btn-default">Cancel</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/country/edit.jsp
View file @ fd0b5516
......@@ -25,6 +25,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/filter/cropdescriptors.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/filter/filter.jsp
View file @ fd0b5516
......@@ -77,6 +77,8 @@
<button type="submit" name="doPick" class="btn btn-green pull-left">Change filters</button>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
......
src/main/webapp/WEB-INF/jsp/filter/pick.jsp
View file @ fd0b5516
......@@ -67,6 +67,8 @@
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/index.jsp
View file @ fd0b5516
......@@ -16,6 +16,8 @@
<sec:authorize access="hasRole('ADMINISTRATOR')">
<form method="post" action="<c:url value="/c/rebuild" />">
<input type="submit" class="btn form-control" value="Rebuild" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</sec:authorize>
<div class="dropdown">
......
src/main/webapp/WEB-INF/jsp/login.jsp
View file @ fd0b5516
......@@ -46,6 +46,8 @@
<a href="forgot-password" id="forgot-password" class="btn"><spring:message code="login.forgot-password"/></a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
View file @ fd0b5516
......@@ -26,11 +26,15 @@
<div class="col-sm-2">
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="true" type="hidden" /> <label><input class="btn btn-primary" name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit" /></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
<div class="col-sm-2">
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="false" type="hidden" /> <label><input class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit" /></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
</div>
......
src/main/webapp/WEB-INF/jsp/oauth/createclient.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
</a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/organization/edit.jsp
View file @ fd0b5516
......@@ -39,6 +39,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/org/${organization.slug}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/registration.jsp
View file @ fd0b5516
......@@ -66,6 +66,8 @@
</a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/request/index.jsp
View file @ fd0b5516
......@@ -61,6 +61,8 @@
<div class="form-actions">
<input class="btn btn-primary" type="submit" value="<spring:message code="request.start-request" />" />
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</c:if>
......
src/main/webapp/WEB-INF/jsp/request/personal.jsp
View file @ fd0b5516
......@@ -29,6 +29,8 @@
<div class="form-actions">
<input class="btn btn-primary" type="submit" value="<spring:message code="request.start-request" />" />
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/selection/index.jsp
View file @ fd0b5516
......@@ -64,6 +64,8 @@
<a href="<c:url value="/sel/clear" />"><button class="btn" type="button">Clear list</button></a>
<a href="<c:url value="/sel/map" />"><button class="btn" type="button">Display on map</button></a>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</c:if>
......@@ -81,6 +83,8 @@
<div class="form-actions clearfix">
<input type="submit" class="btn" value="<spring:message code="selection.add-many" />" />
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</c:if>
</body>
......
src/main/webapp/WEB-INF/jsp/team/edit.jsp
View file @ fd0b5516
......@@ -26,6 +26,8 @@
</a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/user/edit.jsp
View file @ fd0b5516
......@@ -45,6 +45,8 @@
</a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/user/email.jsp
View file @ fd0b5516
......@@ -21,6 +21,8 @@
<input type="submit" value="<spring:message code="userprofile.email.send" />" class="btn btn-primary" />
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/user/password.jsp
View file @ fd0b5516
......@@ -28,6 +28,8 @@
<input type="submit" value="<spring:message code="userprofile.password" />" class="btn btn-primary" />
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/user/validateemail.jsp
View file @ fd0b5516
......@@ -25,6 +25,8 @@
<spring:message code="validate.email.invalid.key"/>
</div>
</c:if>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
......
src/main/webapp/WEB-INF/jsp/wiews/edit.jsp
View file @ fd0b5516
......@@ -32,6 +32,8 @@
<input type="submit" value="<spring:message code="save"/>" class="btn btn-primary" /> <a href="<c:url value="/wiews/${faoInstitute.code.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment