SEC-2991: Add CSRF Token to OpenID XML Sample

2015-07-21 10:42:24 -05:00 · 2015-07-21 10:42:24 -05:00 · cd4a7e95cc
parent 07fb2af74b
commit cd4a7e95cc
3 changed files with 10 additions and 9 deletions
--- a/samples/openid-xml/openid.gradle
+++ b/samples/openid-xml/openid.gradle
@ -5,7 +5,8 @@ apply plugin: 'jetty'

 dependencies {
 	compile project(':spring-security-core'),
-			project(':spring-security-openid')
+			project(':spring-security-openid'),
+			"org.springframework:spring-webmvc:$springVersion"

 	providedCompile "javax.servlet:javax.servlet-api:$servletApiVersion"

--- a/samples/openid-xml/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/openid-xml/src/main/webapp/WEB-INF/applicationContext-security.xml
@ -10,12 +10,11 @@
 	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

-	<http pattern="/openidlogin.jsp*" security="none" />
-	<http pattern="/images/*" security="none" />
-	<http pattern="/css/*" security="none" />
-	<http pattern="/js/*" security="none" />
-
 	<http>
+		<intercept-url pattern="/openidlogin.jsp*" access="permitAll"/>
+		<intercept-url pattern="/images/*" access="permitAll"/>
+		<intercept-url pattern="/css/*" access="permitAll"/>
+		<intercept-url pattern="/js/*" access="permitAll"/>
 		<intercept-url pattern="/**" access="authenticated"/>
 		<logout/>
 		<openid-login login-page="/openidlogin.jsp" user-service-ref="registeringUserService"
--- a/samples/openid-xml/src/main/webapp/openidlogin.jsp
+++ b/samples/openid-xml/src/main/webapp/openidlogin.jsp
@ -1,4 +1,5 @@
 <%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
@ -36,8 +37,8 @@
 </c:if>

 <!-- Simple OpenID Selector -->
-<form action="<c:url value='login/openid'/>" method="post" id="openid_form">
-    <input type="hidden" name="action" value="verify" />
+<form:form action="login/openid" method="post" id="openid_form">
+	<input type="hidden" name="action" value="verify" />

    <fieldset>
            <legend>Sign-in or Create New Account</legend>
@ -57,7 +58,7 @@
            Find out <a href="http://openid.net/what/">more about OpenID</a> and <a href="http://openid.net/get/">how to get an OpenID enabled account</a>.</p>
            </noscript>
    </fieldset>
-</form>
+</form:form>
 <!-- /Simple OpenID Selector -->

 </body>