Skip to content

Commit

Permalink
ajax client post csrf fix, code cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
@1azyman
1azyman committed Nov 9, 2017
1 parent 706fd74 commit 12297e7
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 18 deletions.
18 changes: 7 additions & 11 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointApplication.java
View file
Expand Up @@ -61,8 +61,6 @@
import org.apache.wicket.markup.html.SecurePackageResourceGuard;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.protocol.http.WebApplication;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.mapper.parameter.PageParametersEncoder;
import org.apache.wicket.request.resource.PackageResourceReference;
import org.apache.wicket.request.resource.SharedResourceReference;
Expand All @@ -79,7 +77,6 @@
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
Expand Down Expand Up @@ -252,16 +249,15 @@ public void init() {

@Override
public void updateAjaxAttributes(AbstractDefaultAjaxBehavior behavior, AjaxRequestAttributes attributes) {
Request req = RequestCycle.get().getRequest();
HttpServletRequest httpReq = (HttpServletRequest) req.getContainerRequest();
CsrfToken csrfToken = SecurityUtils.getCsrfToken();
if (csrfToken == null) {
return;
}

CsrfToken csrfToken = (CsrfToken) httpReq.getAttribute("_csrf");
if (csrfToken != null) {
String parameterName = csrfToken.getParameterName();
String value = csrfToken.getToken();
String parameterName = csrfToken.getParameterName();
String value = csrfToken.getToken();

attributes.getExtraParameters().put(parameterName, value);
}
attributes.getExtraParameters().put(parameterName, value);
}
});

Expand Down
20 changes: 13 additions & 7 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SecurityUtils.java
View file
Expand Up @@ -120,15 +120,21 @@ public void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag)
}

public static void appendHiddenInputForCsrf(Response resp) {
CsrfToken csrfToken = getCsrfToken();
if (csrfToken == null) {
return;
}

String parameterName = csrfToken.getParameterName();
String value = csrfToken.getToken();

resp.write("<input type=\"hidden\" name=\"" + parameterName + "\" value=\"" + value + "\"/>");
}

public static CsrfToken getCsrfToken() {
Request req = RequestCycle.get().getRequest();
HttpServletRequest httpReq = (HttpServletRequest) req.getContainerRequest();

CsrfToken csrfToken = (CsrfToken) httpReq.getAttribute("_csrf");
if (csrfToken != null) {
String parameterName = csrfToken.getParameterName();
String value = csrfToken.getToken();

resp.write("<input type=\"hidden\" name=\"" + parameterName + "\" value=\"" + value + "\"/>");
}
return (CsrfToken) httpReq.getAttribute("_csrf");
}
}

0 comments on commit 12297e7

Please sign in to comment.