SEC-3068: Update Tutorial to use POST /logout

samples/tutorial-xml/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <!--
-  - Sample namespace-based configuration
+- Sample namespace-based configuration
-  -
+-
-  -->
+-->
 
 <beans:beans xmlns="http://www.springframework.org/schema/security"
 	xmlns:beans="http://www.springframework.org/schema/beans"
@@ -19,12 +19,12 @@
 	<http pattern="/loggedout.jsp" security="none"/>
 
 	<http>
-		<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
+		<intercept-url pattern="/secure/extreme/**" access="hasAuthority('supervisor')"/>
-		<intercept-url pattern="/secure/**" access="isAuthenticated()" />
+		<intercept-url pattern="/secure/**" access="authenticated" />
 		<!--
-			 Allow all other requests. In a real application you should
+			Allow all other requests. In a real application you should
-			 adopt a whitelisting approach where access is not allowed by default
+			adopt a whitelisting approach where access is not allowed by default
-		  -->
+		-->
 		<intercept-url pattern="/**" access="permitAll" />
 		<form-login />
 		<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>

samples/tutorial-xml/src/main/webapp/WEB-INF/jsp/listAccounts.jsp

@@ -1,13 +1,14 @@
 <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
 <html>
-  <head>
+<head>
-      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+	<meta http-equiv="content-type" content="text/html; charset=UTF-8">
-      <link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
+	<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
-      <title>Accounts</title>
+	<title>Accounts</title>
-  </head>
+</head>
 <body>
 <div id="content">
 
@@ -32,22 +33,26 @@ Anyone can view this page, but posting to an Account requires login and must be
 <td><b>Operations</b></td>
 </tr>
 <c:forEach var="account" items="${accounts}">
-  <tr>
+<tr>
-  <td>${account.id}</td>
+<td>${account.id}</td>
-  <td>${account.holder}</td>
+<td>${account.holder}</td>
-  <td>${account.balance}</td>
+<td>${account.balance}</td>
-  <td>${account.overdraft}</td>
+<td>${account.overdraft}</td>
-  <td>
+<td>
-      <a href="post.html?id=${account.id}&amp;amount=-20.00">-$20</a>
+	<a href="post.html?id=${account.id}&amp;amount=-20.00">-$20</a>
-      <a href="post.html?id=${account.id}&amp;amount=-5.00">-$5</a>
+	<a href="post.html?id=${account.id}&amp;amount=-5.00">-$5</a>
-      <a href="post.html?id=${account.id}&amp;amount=5.00">+$5</a>
+	<a href="post.html?id=${account.id}&amp;amount=5.00">+$5</a>
-      <a href="post.html?id=${account.id}&amp;amount=20.00">+$20</a>
+	<a href="post.html?id=${account.id}&amp;amount=20.00">+$20</a>
-  </td>
+</td>
-  </tr>
+</tr>
 </c:forEach>
 </table>
 
-<p><a href="logout">Logout</a></p>
+<p>
+<form action="logout" method="post">
+	<sec:csrfInput />
+	<input type="submit" value="Logout"/>
+</form>
 </div>
 </body>
 </html>

samples/tutorial-xml/src/main/webapp/secure/extreme/index.jsp

@@ -1,25 +1,29 @@
-<%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
+<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
 <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
 <html>
-  <head>
+<head>
-      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+	<meta http-equiv="content-type" content="text/html; charset=UTF-8">
-      <link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
+	<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
-      <title>Secure Page</title>
+	<title>Secure Page</title>
-  </head>
+</head>
 <body>
 <div id="content">
 <h1>VERY Secure Page</h1>
 This is a protected page. You can only see me if you are a supervisor.
 
-<authz:authorize access="hasRole('supervisor')">
+<sec:authorize access="hasAuthority('supervisor')">
-   You have authority "supervisor" (this text is surrounded by &lt;authz:authorize&gt; tags).
+You have authority "supervisor" (this text is surrounded by &lt;sec:authorize&gt; tags).
-</authz:authorize>
+</sec:authorize>
 
 <p><a href="../../">Home</a></p>
-<p><a href="../../logout">Logout</a></p>
+
+<form action="../../logout" method="post">
+	<sec:csrfInput />
+	<input type="submit" value="Logout"/>
+</form>
 </div>
 </body>
 </html>

samples/tutorial-xml/src/main/webapp/secure/index.jsp

@@ -4,11 +4,11 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
 <html>
-  <head>
+<head>
-      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+	<meta http-equiv="content-type" content="text/html; charset=UTF-8">
-      <link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
+	<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
-      <title>Secure Page</title>
+	<title>Secure Page</title>
-  </head>
+</head>
 <body>
 <div id="content">
 
@@ -19,7 +19,7 @@ or if you've authenticated this session.
 </p>
 <p>
 <sec:authorize access="hasRole('supervisor')">
-    You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
+	You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
 </sec:authorize>
 </p>
 <h3>Properties obtained using &lt;sec:authentication /&gt; tag</h3>
@@ -43,7 +43,11 @@ or if you've authenticated this session.
 
 
 <p><a href="../">Home</a></p>
-<p><a href="../logout">Logout</a></p>
+
+<form action="../logout" method="post">
+	<sec:csrfInput />
+	<input type="submit" value="Logout"/>
+</form>
 </div>
 </body>
 </html>