CSRF

fd0b5516 · Nick Martynenko · Matija Obreza · 77a3b7c6 · fd0b5516 · fd0b5516
Commit fd0b5516 authored Feb 20, 2014 by Nick Martynenko Committed by Matija Obreza Feb 22, 2014
--- a/pom.xml
+++ b/pom.xml
@@ -55,8 +55,8 @@
 		<log4j.version>1.2.17</log4j.version>

 		<aspectj.version>1.7.2</aspectj.version>
-		<spring.framework.version>3.2.5.RELEASE</spring.framework.version>
-		<spring.security.version>3.1.4.RELEASE</spring.security.version>
+		<spring.framework.version>3.2.7.RELEASE</spring.framework.version>
+		<spring.security.version>3.2.1.RELEASE</spring.security.version>
 		<spring.security.oauth2.version>1.0.5.RELEASE</spring.security.oauth2.version>
 		<spring.data.core.version>1.5.1.RELEASE</spring.data.core.version>
 		<spring.data.jpa.version>1.3.5.RELEASE</spring.data.jpa.version>
@@ -100,11 +100,19 @@
 			<name>Releases</name>
 			<url>https://oss.sonatype.org/content/repositories/releases</url>
 		</repository>
-
-		<!-- <repository> <id>sonatype mirror</id> <url>http://search.maven.org/remotecontent?filepath=</url> 
-			</repository> -->
+		 <repository>
+             <id>sonatype mirror</id>
+             <url>http://search.maven.org/remotecontent?filepath=</url>
+         </repository>
 	</repositories>

+    <pluginRepositories>
+        <pluginRepository>
+            <id>sonatype mirror</id>
+            <url>http://search.maven.org/remotecontent?filepath=</url>
+        </pluginRepository>
+    </pluginRepositories>
+
 	<dependencies>
 		<!--Test dependencies -->
 		<dependency>
@@ -248,12 +256,6 @@
 			<version>${spring.security.version}</version>
 		</dependency>

-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-crypto</artifactId>
-			<version>${spring.security.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-taglibs</artifactId>

--- a/src/main/resources/spring/spring-security-oauth.xml
+++ b/src/main/resources/spring/spring-security-oauth.xml
@@ -18,7 +18,7 @@
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
                           http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

 	<!-- <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
 		<constructor-arg>

--- a/src/main/resources/spring/spring-security.xml
+++ b/src/main/resources/spring/spring-security.xml
@@ -18,7 +18,7 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://www.springframework.org/schema/security"
-       xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
+       xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
                           http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">


@@ -60,6 +60,9 @@
 		
 		<sec:access-denied-handler error-page="/access-denied" />
 		<sec:expression-handler ref="webExpressionHandler"/>
+
+        <!--enable CSRF protection-->
+        <sec:csrf />
 	</sec:http>

 </beans>
--- a/src/main/webapp/WEB-INF/decorator/entry.jsp
+++ b/src/main/webapp/WEB-INF/decorator/entry.jsp
@@ -10,6 +10,11 @@
    <meta name="description" content="" />
    <meta name="author" content="" />

+    <!-- CSRF protection-->
+    <meta name="_csrf" content="${_csrf.token}"/>
+    <!-- default header name is X-CSRF-TOKEN -->
+    <meta name="_csrf_header" content="${_csrf.headerName}"/>
+
    <title><sitemesh:write property="title" /></title>

    <!-- Custom styles for this template -->

--- a/src/main/webapp/WEB-INF/decorator/footer.jsp
+++ b/src/main/webapp/WEB-INF/decorator/footer.jsp
@@ -90,4 +90,13 @@
    $('#nav-main').hide('slow');        
  });

+  //CSRF protection
+  $(function () {
+      var token = $("meta[name='_csrf']").attr("content");
+      var header = $("meta[name='_csrf_header']").attr("content");
+      $(document).ajaxSend(function(e, xhr, options) {
+          xhr.setRequestHeader(header, token);
+      });
+  });
+
 </script>
--- a/src/main/webapp/WEB-INF/decorator/header.jsp
+++ b/src/main/webapp/WEB-INF/decorator/header.jsp
@@ -40,6 +40,8 @@
                                    <span class="or">-</span>
 	                            	<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
 					                <a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
+                                    <!-- CSRF protection -->
+                                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
                                </form>
                            </li>
                        </ul>
@@ -118,6 +120,9 @@
                                    <span class="or">-</span>
 	                            	<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
 					                <a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
+
+                                    <!-- CSRF protection -->
+                                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
                                </form>
                            </li>
                        </ul>

--- a/src/main/webapp/WEB-INF/decorator/main.jsp
+++ b/src/main/webapp/WEB-INF/decorator/main.jsp
@@ -9,9 +9,15 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="description" content="" />
    <meta name="author" content="" />
-<!--
-    <link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
-->
+
+    <!-- CSRF protection-->
+    <meta name="_csrf" content="${_csrf.token}"/>
+    <!-- default header name is X-CSRF-TOKEN -->
+    <meta name="_csrf_header" content="${_csrf.headerName}"/>
+
+    <!--
+        <link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
+    -->

    <title><sitemesh:write property="title" /></title>


--- a/src/main/webapp/WEB-INF/jsp/admin/index.jsp
+++ b/src/main/webapp/WEB-INF/jsp/admin/index.jsp
@@ -15,12 +15,18 @@
 	<h3>Country data</h3>
 	<form method="post" action="<c:url value="/admin/refreshCountries" />">
 		<input type="submit" class="btn btn-default" value="Refresh country data" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/updateAlternateNames" />">
 		<input type="submit" class="btn btn-default" value="Update alternate GEO names" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/updateITPGRFA" />">
 		<input type="submit" class="btn btn-default" class="btn btn-default" value="Update country ITPGRFA status" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 	
@@ -28,43 +34,63 @@
 	<h3>WIEWS</h3>
 	<form method="post" action="<c:url value="/admin/refreshWiews" />">
 		<input type="submit" class="btn btn-default" value="Refresh WIEWS data" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	
 	<h3>Svalbard Global Seed Vault</h3>
 	<form method="post" action="<c:url value="/admin/updateSGSV" />">
 		<input type="submit" class="btn btn-default" value="Update SGSV" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/importSGSV" />">
 		<input type="submit" class="btn btn-default" value="Import SGSV" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	
 	<h3>Accession</h3>
 	<form method="post" action="<c:url value="/admin/updateAccessionCountryRefs" />">
 		<input type="submit" class="btn btn-default" class="btn btn-default" value="Update accession country info" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/updateInstituteCountryRefs" />">
 		<input type="submit" class="btn btn-default" class="btn btn-default" value="Update WIEWS country info" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/updateAccessionInstituteRefs" />">
 		<input type="submit" class="btn btn-default" value="Update accession institute info" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	<form method="post" action="<c:url value="/admin/convertNames" />">
 		<input type="submit" class="btn btn-default" value="Convert old names to aliases" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	
 	<h3>C&E</h3>
 	<form method="post" action="<c:url value="/admin/refreshMetadataMethods" />">
 		<input type="submit" class="btn btn-default" class="btn btn-default" value="Recalculate metadata methods" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	
 	<h3>Content</h3>
 	<form method="post" action="<c:url value="/admin/sanitize" />">
 		<input type="submit" class="btn btn-default" value="Sanitize HTML content" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 	
 	<h3>Full-text Search</h3>
 	<form method="post" action="<c:url value="/admin/reindexEverything" />">
 		<input type="submit" class="btn btn-default" class="btn btn-default" value="Reindex search indexes" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 	<form method="post" action="<c:url value="/admin/reindexEntity" />">
@@ -76,6 +102,8 @@
 			<option value="org.genesys2.server.model.impl.Organization">Organizations</option>
 			<option value="org.genesys2.server.model.genesys.Accession">Accessions</option>
 		</select> <input type="submit" class="btn btn-default" value="Reindex search indexes" />
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 </body>

--- a/src/main/webapp/WEB-INF/jsp/admin/oauth/client/edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/admin/oauth/client/edit.jsp
@@ -24,6 +24,8 @@
 		<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
 		<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
 		</a>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 <content tag="javascript">	

--- a/src/main/webapp/WEB-INF/jsp/content/activitypost-edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/content/activitypost-edit.jsp
@@ -37,7 +37,9 @@
 			<a class="btn btn-default" href="<c:url value="/content/activitypost/${activityPost.id}/delete" />"><spring:message code="delete" /></a>
 		</c:if>
 		<a class="btn btn-default" href="<c:url value="/" />"><spring:message code="cancel" /></a>
-	</form>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+    </form>

 <content tag="javascript">	
 	<script type="text/javascript" src="/html/js/tinymce/tinymce.min.js"></script>

--- a/src/main/webapp/WEB-INF/jsp/content/article-edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/content/article-edit.jsp
@@ -36,6 +36,8 @@

 		<input type="submit" value="<spring:message code="save"/>" class="btn btn-primary" />
 		<a href="<c:url value="${article.id ne null ? '/content/'.concat(article.slug) : '/' }" />" class="btn btn-default">Cancel</a>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 <content tag="javascript">	

--- a/src/main/webapp/WEB-INF/jsp/country/edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/country/edit.jsp
@@ -25,6 +25,8 @@
 		<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
 		<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
 		</a>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 <content tag="javascript">	

--- a/src/main/webapp/WEB-INF/jsp/filter/cropdescriptors.jsp
+++ b/src/main/webapp/WEB-INF/jsp/filter/cropdescriptors.jsp
@@ -36,6 +36,8 @@
 </div>

 </div>
+    <!-- CSRF protection -->
+    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 </form>

 </body>

--- a/src/main/webapp/WEB-INF/jsp/filter/filter.jsp
+++ b/src/main/webapp/WEB-INF/jsp/filter/filter.jsp
@@ -77,6 +77,8 @@
 			<button type="submit" name="doPick" class="btn btn-green pull-left">Change filters</button>
 		</div>
 	</div>
+    <!-- CSRF protection -->
+    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 </form>

 </div>

--- a/src/main/webapp/WEB-INF/jsp/filter/pick.jsp
+++ b/src/main/webapp/WEB-INF/jsp/filter/pick.jsp
@@ -67,6 +67,8 @@
 	</div>

 </div>
+    <!-- CSRF protection -->
+    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 </form>

 <content tag="javascript">

--- a/src/main/webapp/WEB-INF/jsp/index.jsp
+++ b/src/main/webapp/WEB-INF/jsp/index.jsp
@@ -16,6 +16,8 @@
 			<sec:authorize access="hasRole('ADMINISTRATOR')">
 				<form method="post" action="<c:url value="/c/rebuild" />">
 					<input type="submit" class="btn form-control" value="Rebuild" />
+                    <!-- CSRF protection -->
+                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 				</form>
 			</sec:authorize>
 			<div class="dropdown">

--- a/src/main/webapp/WEB-INF/jsp/login.jsp
+++ b/src/main/webapp/WEB-INF/jsp/login.jsp
@@ -46,6 +46,8 @@
 	           	<a href="forgot-password" id="forgot-password" class="btn"><spring:message code="login.forgot-password"/></a>
        	</div>
        </div>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
    </form>
 </body>
 </html>
\ No newline at end of file
--- a/src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
+++ b/src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
@@ -26,11 +26,15 @@
 			<div class="col-sm-2">
 				<form action="<c:url value="/oauth/authorize" />" method="post">
 					<input name="user_oauth_approval" value="true" type="hidden" /> <label><input class="btn btn-primary" name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit" /></label>
+                    <!-- CSRF protection -->
+                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 				</form>
 			</div>
 			<div class="col-sm-2">
 				<form action="<c:url value="/oauth/authorize" />" method="post">
 					<input name="user_oauth_approval" value="false" type="hidden" /> <label><input class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit" /></label>
+                    <!-- CSRF protection -->
+                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 				</form>
 			</div>
 		</div>

--- a/src/main/webapp/WEB-INF/jsp/oauth/createclient.jsp
+++ b/src/main/webapp/WEB-INF/jsp/oauth/createclient.jsp
@@ -36,6 +36,8 @@
 				</a>
 			</div>
 		</div>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>
 </body>
 </html>
\ No newline at end of file
--- a/src/main/webapp/WEB-INF/jsp/organization/edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/organization/edit.jsp
@@ -39,6 +39,8 @@
 		<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
 		<a href="<c:url value="/org/${organization.slug}" />" class="btn btn-default"> <spring:message code="cancel" />
 		</a>
+        <!-- CSRF protection -->
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
 	</form>

 <content tag="javascript">