Re-enable csrf in booking-faces

Author: rstoyanchev

booking-faces/src/main/java/org/springframework/webflow/samples/booking/config/SecurityConfig.java

@@ -5,16 +5,13 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
-import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
-
 		http
 			.formLogin()
 				.loginPage("/spring/login")
@@ -24,15 +21,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				.and()
 			.logout()
 				.logoutUrl("/spring/logout")
-				.logoutSuccessUrl("/spring/logoutSuccess")
-				.and()
-
-			// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
-			// See https://jira.springsource.org/browse/SEC-2498
-
-			.csrf().disable()
-			.requestCache()
-				.requestCache(new HttpSessionRequestCache());
+				.logoutSuccessUrl("/spring/logoutSuccess");
 	}
 
 	@Override

booking-faces/src/main/webapp/WEB-INF/flows/booking/enterBookingDetails.xhtml

@@ -129,6 +129,9 @@
 					</p>
 				</div>
 			</div>
+			<div>
+				<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+			</div>
 			<div>
 				<p:commandButton id="proceed" action="proceed" value="Proceed" update="@form" />
 				<p:commandButton id="cancel" value="Cancel" action="cancel" immediate="true" />

booking-faces/src/main/webapp/WEB-INF/flows/booking/reviewBooking.xhtml

@@ -71,6 +71,9 @@
 						</p>
 					</div>
 				</div>
+				<div>
+					<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+				</div>
 				<div>
 					<p:commandButton id="confirm" value="Confirm" action="confirm"/>&#160;
 		    		<p:commandButton id="revise" value="Revise" action="revise"/>&#160;

booking-faces/src/main/webapp/WEB-INF/flows/main/enterSearchCriteria.xhtml

@@ -31,7 +31,8 @@
 			</h:panelGrid>
 			<p:tooltip for="searchString" targetPosition="topRight" position="bottomLeft"
 				value="Search hotels by name, address, city, or zip." style="cream" />
-		</h:form>			  
+			<div><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/></div>
+		</h:form>
 	</p:panel>
 
 	<p:panel id="bookings" header="Your Hotel Bookings" rendered="#{currentUser!=null}" toggleable="true" toggleSpeed="100" style="margin-top: 10px">
@@ -67,7 +68,8 @@
 					</p:column>
 				</p:dataTable>
 			</p:outputPanel>
-		</h:form>			  
+			<div><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/></div>
+		</h:form>
 	</p:panel>				  
 
 </ui:define>

booking-faces/src/main/webapp/WEB-INF/flows/main/reviewHotel.xhtml

@@ -34,6 +34,9 @@
                 <f:convertNumber type="currency" currencySymbol="$"/>
             </h:outputText>
 	    </div>
+		<div>
+			<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+		</div>
 		<div>
 			<p:commandButton id="book" action="book" value="Book Hotel" ajax="false" />
 			<p:commandButton id="cancel" action="cancel" value="Back to Search"/>

booking-faces/src/main/webapp/WEB-INF/flows/main/reviewHotels.xhtml

@@ -47,6 +47,7 @@
 			</p:commandButton>
 		</p:column>
 	</p:dataTable>
+	<div><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/></div>
 </h:form>
 </ui:define>
 </ui:composition>

booking-faces/src/main/webapp/WEB-INF/layouts/standard.xhtml

@@ -31,7 +31,11 @@
 	<div>
 		<h4 class="alt bottom">
 			<c:if test="${not empty currentUser.name}">
-		    	Welcome, ${currentUser.name} | <a href="${request.contextPath}/spring/logout">Logout</a>
+				<form name="f" action="${request.contextPath}/spring/logout" method="post">
+					<div><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/></div>
+					Welcome, ${currentUser.name}
+					<input name="submit" type="submit" value="Logout" />
+				</form>
 			</c:if>
 			<c:if test="${empty currentUser.name}">
 				<a href="${request.contextPath}/spring/login">Login</a>

booking-faces/src/main/webapp/WEB-INF/login.xhtml

@@ -24,8 +24,7 @@
 <div class="span-10 append-2 last">
 	<c:if test="${not empty param.login_error}">
 		<div class="error">
-			Your login attempt was not successful, try again.<br />
-			Reason: #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
+			Your login attempt was not successful, try again.
 		</div>
 	</c:if>
 	<form name="f" action="${request.contextPath}/spring/loginProcess" method="post">
@@ -34,9 +33,6 @@
 				<p>
 					User:
 					<br />
-					<c:if test="${not empty param.login_error}">
-						<c:set var="username" value="${sessionScope.SPRING_SECURITY_LAST_USERNAME}"/>
-					</c:if>
 					<input type="text" name="username" value="#{username}"/>
 				</p>
 				<p>
@@ -48,6 +44,9 @@
 					<input type="checkbox" name="_spring_security_remember_me"/> 
 					Don't ask for my password for two weeks:
 				</p>
+				<div>
+					<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+				</div>
 				<p>
 					<input name="submit" type="submit" value="Login" />
 				</p>