Permalink
Browse files

Fixes based on pentesting with ZAP.

  • Loading branch information...
mraible committed Feb 12, 2013
1 parent 38c5598 commit 9a45b74b0b1c85c3e02f3824bc57f0cf76423000
View
@@ -110,6 +110,7 @@
<configuration>
<webAppConfig>
<contextPath>/</contextPath>
<defaultsDescriptor>src/test/resources/webdefault.xml</defaultsDescriptor>
</webAppConfig>
<connectors>
<connector implementation="org.eclipse.jetty.server.nio.SelectChannelConnector">
@@ -16,7 +16,11 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
response.setHeader("Access-Control-Allow-Credentials", "true");
chain.doFilter(req, res);
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1
response.setHeader("Pragma", "no-cache"); // HTTP 1.0
response.setDateHeader("Expires", 0); // Proxies
chain.doFilter(req, response);
}
public void init(FilterConfig filterConfig) {
@@ -8,6 +8,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.appfuse.model.User;
import org.appfuse.service.UserExistsException;
import org.appfuse.service.UserManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.propertyeditors.CustomDateEditor;
@@ -16,6 +17,7 @@
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.validation.ObjectError;
import org.springframework.validation.Validator;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.bind.annotation.InitBinder;
@@ -80,7 +82,12 @@ public String onSubmit(User user, BindingResult result, HttpServletRequest reque
request.getSession().setAttribute("message",
getText("user.deleted", user.getFullName()));
} else {
userManager.saveUser(user);
try {
userManager.saveUser(user);
} catch (UserExistsException uex) {
result.addError(new ObjectError("user", uex.getMessage()));
return "userform";
}
request.getSession().setAttribute("message",
getText("user.saved", user.getFullName()));
}
@@ -12,7 +12,7 @@
<intercept-url pattern="/app/users" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true"
login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" use-secure-cookie="true"/>
</http>
<authentication-manager alias="authenticationManager">
@@ -168,4 +168,13 @@
<error-code>500</error-code>
<location>/error.jsp</location>
</error-page>
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
</web-app>
@@ -5,11 +5,4 @@
<c:out value="${requestScope.exception.message}"/>
</p>
<!--
<%
Exception ex = (Exception) request.getAttribute("exception");
ex.printStackTrace(new java.io.PrintWriter(out));
%>
-->
<a href="<c:url value='/'/>">&#171; Home</a>
@@ -2,9 +2,4 @@
<head><title>Doh!</title></head>
An Error has occurred in this application.
<% if (exception != null) { %>
Please check your log files for further information.
<% System.err.println(exception); %>
<% } %>
An Error has occurred in this application.
@@ -6,7 +6,7 @@
Please enter your username and password to login.
</p>
<form method="post" id="loginForm" class="form-signin" action="${ctx}/j_security_check">
<form method="post" id="loginForm" class="form-signin" action="${ctx}/j_security_check" autocomplete="off">
<h2 class="form-signin-heading">Sign In</h2>
<c:if test="${param.error == 'true'}">
@@ -11,7 +11,7 @@
<div class="alert alert-error fade in">
<a href="#" data-dismiss="alert" class="close">&times;</a>
<c:forEach var="error" items="${status.errorMessages}">
<c:out value="${error}" escapeXml="false"/><br/>
<c:out value="${error}" escapeXml="true"/><br/>
</c:forEach>
</div>
</c:if>
Oops, something went wrong.

0 comments on commit 9a45b74

Please sign in to comment.