Skip to content

GitLab

Commit fd0b5516 authored by Nick Martynenko's avatar Nick Martynenko Committed by Matija Obreza
Browse files

CSRF

parent 77a3b7c6
Hide whitespace changes
Inline Side-by-side
Showing with 101 additions and 17 deletions
pom.xml
View file @ fd0b5516
......@@ -55,8 +55,8 @@
<log4j.version>1.2.17</log4j.version>
<aspectj.version>1.7.2</aspectj.version>
<spring.framework.version>3.2.5.RELEASE</spring.framework.version>
<spring.security.version>3.1.4.RELEASE</spring.security.version>
<spring.framework.version>3.2.7.RELEASE</spring.framework.version>
<spring.security.version>3.2.1.RELEASE</spring.security.version>
<spring.security.oauth2.version>1.0.5.RELEASE</spring.security.oauth2.version>
<spring.data.core.version>1.5.1.RELEASE</spring.data.core.version>
<spring.data.jpa.version>1.3.5.RELEASE</spring.data.jpa.version>
......@@ -100,11 +100,19 @@
<name>Releases</name>
<url>https://oss.sonatype.org/content/repositories/releases</url>
</repository>
<!-- <repository> <id>sonatype mirror</id> <url>http://search.maven.org/remotecontent?filepath=</url>
</repository> -->
<repository>
<id>sonatype mirror</id>
<url>http://search.maven.org/remotecontent?filepath=</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>sonatype mirror</id>
<url>http://search.maven.org/remotecontent?filepath=</url>
</pluginRepository>
</pluginRepositories>
<dependencies>
<!--Test dependencies -->
<dependency>
......@@ -248,12 +256,6 @@
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
......
src/main/resources/spring/spring-security-oauth.xml
View file @ fd0b5516
......@@ -18,7 +18,7 @@
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
......
src/main/resources/spring/spring-security.xml
View file @ fd0b5516
......@@ -18,7 +18,7 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
......@@ -60,6 +60,9 @@
<sec:access-denied-handler error-page="/access-denied" />
<sec:expression-handler ref="webExpressionHandler"/>
<!--enable CSRF protection-->
<sec:csrf />
</sec:http>
</beans>
src/main/webapp/WEB-INF/decorator/entry.jsp
View file @ fd0b5516
......@@ -10,6 +10,11 @@
<meta name="description" content="" />
<meta name="author" content="" />
<!-- CSRF protection-->
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<title><sitemesh:write property="title" /></title>
<!-- Custom styles for this template -->
......
src/main/webapp/WEB-INF/decorator/footer.jsp
View file @ fd0b5516
......@@ -90,4 +90,13 @@
$('#nav-main').hide('slow');
});
//CSRF protection
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
</script>
src/main/webapp/WEB-INF/decorator/header.jsp
View file @ fd0b5516
......@@ -40,6 +40,8 @@
<span class="or">-</span>
<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
<a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</li>
</ul>
......@@ -118,6 +120,9 @@
<span class="or">-</span>
<a href="<c:url value="/google/login" />" class="btn btn-default google-signin"><spring:message code="login.with-google-plus"/></a>
<a href="<c:url value="/registration" />" class="btn btn-default"><spring:message code="login.register-now"/></a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</li>
</ul>
......
src/main/webapp/WEB-INF/decorator/main.jsp
View file @ fd0b5516
......@@ -9,9 +9,15 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="description" content="" />
<meta name="author" content="" />
<!--
<link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
-->
<!-- CSRF protection-->
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<!--
<link rel="shortcut icon" href="../../docs-assets/ico/favicon.png" />
-->
<title><sitemesh:write property="title" /></title>
......
src/main/webapp/WEB-INF/jsp/admin/index.jsp
View file @ fd0b5516
......@@ -15,12 +15,18 @@
<h3>Country data</h3>
<form method="post" action="<c:url value="/admin/refreshCountries" />">
<input type="submit" class="btn btn-default" value="Refresh country data" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateAlternateNames" />">
<input type="submit" class="btn btn-default" value="Update alternate GEO names" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateITPGRFA" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update country ITPGRFA status" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
......@@ -28,43 +34,63 @@
<h3>WIEWS</h3>
<form method="post" action="<c:url value="/admin/refreshWiews" />">
<input type="submit" class="btn btn-default" value="Refresh WIEWS data" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Svalbard Global Seed Vault</h3>
<form method="post" action="<c:url value="/admin/updateSGSV" />">
<input type="submit" class="btn btn-default" value="Update SGSV" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/importSGSV" />">
<input type="submit" class="btn btn-default" value="Import SGSV" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Accession</h3>
<form method="post" action="<c:url value="/admin/updateAccessionCountryRefs" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update accession country info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateInstituteCountryRefs" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Update WIEWS country info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/updateAccessionInstituteRefs" />">
<input type="submit" class="btn btn-default" value="Update accession institute info" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/convertNames" />">
<input type="submit" class="btn btn-default" value="Convert old names to aliases" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>C&E</h3>
<form method="post" action="<c:url value="/admin/refreshMetadataMethods" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Recalculate metadata methods" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Content</h3>
<form method="post" action="<c:url value="/admin/sanitize" />">
<input type="submit" class="btn btn-default" value="Sanitize HTML content" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<h3>Full-text Search</h3>
<form method="post" action="<c:url value="/admin/reindexEverything" />">
<input type="submit" class="btn btn-default" class="btn btn-default" value="Reindex search indexes" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<form method="post" action="<c:url value="/admin/reindexEntity" />">
......@@ -76,6 +102,8 @@
<option value="org.genesys2.server.model.impl.Organization">Organizations</option>
<option value="org.genesys2.server.model.genesys.Accession">Accessions</option>
</select> <input type="submit" class="btn btn-default" value="Reindex search indexes" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/admin/oauth/client/edit.jsp
View file @ fd0b5516
......@@ -24,6 +24,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/content/activitypost-edit.jsp
View file @ fd0b5516
......@@ -37,7 +37,9 @@
<a class="btn btn-default" href="<c:url value="/content/activitypost/${activityPost.id}/delete" />"><spring:message code="delete" /></a>
</c:if>
<a class="btn btn-default" href="<c:url value="/" />"><spring:message code="cancel" /></a>
</form>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
<script type="text/javascript" src="/html/js/tinymce/tinymce.min.js"></script>
......
src/main/webapp/WEB-INF/jsp/content/article-edit.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
<input type="submit" value="<spring:message code="save"/>" class="btn btn-primary" />
<a href="<c:url value="${article.id ne null ? '/content/'.concat(article.slug) : '/' }" />" class="btn btn-default">Cancel</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/country/edit.jsp
View file @ fd0b5516
......@@ -25,6 +25,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/geo/${country.code3.toLowerCase()}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/filter/cropdescriptors.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
......
src/main/webapp/WEB-INF/jsp/filter/filter.jsp
View file @ fd0b5516
......@@ -77,6 +77,8 @@
<button type="submit" name="doPick" class="btn btn-green pull-left">Change filters</button>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
......
src/main/webapp/WEB-INF/jsp/filter/pick.jsp
View file @ fd0b5516
......@@ -67,6 +67,8 @@
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
src/main/webapp/WEB-INF/jsp/index.jsp
View file @ fd0b5516
......@@ -16,6 +16,8 @@
<sec:authorize access="hasRole('ADMINISTRATOR')">
<form method="post" action="<c:url value="/c/rebuild" />">
<input type="submit" class="btn form-control" value="Rebuild" />
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</sec:authorize>
<div class="dropdown">
......
src/main/webapp/WEB-INF/jsp/login.jsp
View file @ fd0b5516
......@@ -46,6 +46,8 @@
<a href="forgot-password" id="forgot-password" class="btn"><spring:message code="login.forgot-password"/></a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
View file @ fd0b5516
......@@ -26,11 +26,15 @@
<div class="col-sm-2">
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="true" type="hidden" /> <label><input class="btn btn-primary" name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit" /></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
<div class="col-sm-2">
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="false" type="hidden" /> <label><input class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit" /></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
</div>
......
src/main/webapp/WEB-INF/jsp/oauth/createclient.jsp
View file @ fd0b5516
......@@ -36,6 +36,8 @@
</a>
</div>
</div>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
\ No newline at end of file
src/main/webapp/WEB-INF/jsp/organization/edit.jsp
View file @ fd0b5516
......@@ -39,6 +39,8 @@
<input type="submit" value="<spring:message code="blurp.update-blurp"/>" class="btn btn-primary" />
<a href="<c:url value="/org/${organization.slug}" />" class="btn btn-default"> <spring:message code="cancel" />
</a>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<content tag="javascript">
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment