Skip to content

Commit ca5d21d

Browse files
Add csrf protection
1 parent 07d318c commit ca5d21d

8 files changed

Lines changed: 25 additions & 12 deletions

File tree

src/main/resources/logback.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@
2626

2727
<logger name="ru.javawebinar.topjava" level="debug"/>
2828
<logger name="org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver" level="debug"/>
29+
<logger name="org.springframework.security.web.csrf.CsrfFilter" level="debug"/>
30+
2931
<logger name="org.springframework.security" level="debug"/>
3032

3133
<root level="INFO">

src/main/resources/spring/spring-security.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
authentication-failure-url="/login?error=true"
2727
login-processing-url="/spring_security_check"/>
2828
<logout logout-success-url="/login"/>
29-
<csrf disabled="true"/>
29+
<!--<csrf disabled="true"/>-->
3030
</http>
3131

3232
<beans:bean class="ru.javawebinar.topjava.util.PasswordUtil" id="passwordEncoder" factory-method="getPasswordEncoder"/>

src/main/webapp/WEB-INF/jsp/fragments/bodyHeader.jsp

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
33
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
44
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
5+
<%@taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
56

67
<%--
78
<fmt:setLocale value="ru"/>
@@ -14,18 +15,18 @@
1415
<a href="${meals}" class="navbar-brand"><fmt:message key="app.title"/></a>
1516

1617
<div class="collapse navbar-collapse">
17-
<form class="navbar-form navbar-right">
18+
<c:url value="/logout" var="logout"/>
19+
<form:form class="navbar-form navbar-right" action="${logout}" method="post">
1820
<sec:authorize access="isAuthenticated()">
1921
<sec:authorize access="hasRole('ROLE_ADMIN')">
2022
<c:url value="/users" var="users"/>
2123
<a class="btn btn-info" role="button" href="${users}"><fmt:message key="users.title"/></a>
2224
</sec:authorize>
2325
<c:url value="/profile" var="profile"/>
2426
<a class="btn btn-info" role="button" href="${profile}">${userTo.name} profile</a>
25-
<c:url value="/logout" var="logout"/>
26-
<a class="btn btn-primary" role="button" href="${logout}">Logout</a>
27+
<input type="submit" class="btn btn-primary" value="Logout">
2728
</sec:authorize>
28-
</form>
29+
</form:form>
2930
</div>
3031
</div>
3132
</div>

src/main/webapp/WEB-INF/jsp/fragments/headTag.jsp

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@
44

55
<head>
66
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
7+
<meta name="_csrf" content="${_csrf.token}"/>
8+
<!-- default header name is X-CSRF-TOKEN -->
9+
<meta name="_csrf_header" content="${_csrf.headerName}"/>
710
<title><fmt:message key="app.title"/></title>
811

912
<%--<link rel="stylesheet" href="resources/css/style.css">--%>

src/main/webapp/WEB-INF/jsp/login.jsp

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<%@taglib uri="http://www.springframework.org/tags" prefix="spring" %>
44
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
55
<%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
6+
<%@taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
67

78
<html>
89
<jsp:include page="fragments/headTag.jsp"/>
@@ -11,15 +12,15 @@
1112
<div class="container">
1213
<div class="navbar-header navbar-brand"><fmt:message key="app.title"/></div>
1314
<div class="navbar-collapse collapse">
14-
<form class="navbar-form navbar-right" role="form" action="spring_security_check" method="post">
15+
<form:form class="navbar-form navbar-right" role="form" action="spring_security_check" method="post">
1516
<div class="form-group">
1617
<input type="text" placeholder="Email" class="form-control" name='username'>
1718
</div>
1819
<div class="form-group">
1920
<input type="password" placeholder="Password" class="form-control" name='password'>
2021
</div>
2122
<button type="submit" class="btn btn-success">Sign in</button>
22-
</form>
23+
</form:form>
2324
</div>
2425
</div>
2526
</div>

src/main/webapp/WEB-INF/jsp/mealList.jsp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@
7474
<h2 class="modal-title">Meal details:</h2>
7575
</div>
7676
<div class="modal-body">
77-
<form class="form-horizontal" method="post" id="detailsForm">
77+
<form:form class="form-horizontal" method="post" id="detailsForm">
7878
<input type="text" hidden="hidden" id="id" name="id">
7979

8080
<div class="form-group">
@@ -104,7 +104,7 @@
104104
<button type="submit" class="btn btn-primary">Save</button>
105105
</div>
106106
</div>
107-
</form>
107+
</form:form>
108108
</div>
109109
</div>
110110
</div>

src/main/webapp/WEB-INF/jsp/userList.jsp

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
44
<%@ taglib prefix="datatables" uri="http://github.com/dandelion/datatables" %>
55
<%@ taglib prefix="dandelion" uri="http://github.com/dandelion" %>
6+
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
67

78
<html>
89
<dandelion:bundle includes="topjavaDatatable"/>
@@ -44,7 +45,7 @@
4445
<h2 class="modal-title">User details:</h2>
4546
</div>
4647
<div class="modal-body">
47-
<form class="form-horizontal" method="post" id="detailsForm">
48+
<form:form class="form-horizontal" method="post" id="detailsForm">
4849
<input type="text" hidden="hidden" id="id" name="id">
4950

5051
<div class="form-group">
@@ -75,7 +76,7 @@
7576
<button type="submit" class="btn btn-primary">Save</button>
7677
</div>
7778
</div>
78-
</form>
79+
</form:form>
7980
</div>
8081
</div>
8182
</div>

src/main/webapp/resources/js/customDatatable.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
var form;
22

33
function makeEditable(ajaxUrl) {
4-
form = $('#detailsForm')
4+
form = $('#detailsForm');
55

66
$('#add').click(function () {
77
form.find(":input").each(function () {
@@ -28,6 +28,11 @@ function makeEditable(ajaxUrl) {
2828
failNoty(event, jqXHR, options, jsExc);
2929
});
3030

31+
var token = $("meta[name='_csrf']").attr("content");
32+
var header = $("meta[name='_csrf_header']").attr("content");
33+
$(document).ajaxSend(function(e, xhr, options) {
34+
xhr.setRequestHeader(header, token);
35+
});
3136
init();
3237
}
3338

0 commit comments

Comments
 (0)