You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by ja...@apache.org on 2011/10/24 16:36:50 UTC
svn commit: r1188156 - in /incubator/rave/trunk:
rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/
rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/
rave-components/rave-web/src/test/java/org/apac...
Author: jasha
Date: Mon Oct 24 14:36:49 2011
New Revision: 1188156
URL: http://svn.apache.org/viewvc?rev=1188156&view=rev
Log:
RAVE-300 RAVE-301 restrict fields that can be updated. Check if session token matches submitted token to prevent CSRF
Added:
incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
Modified:
incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp
Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java Mon Oct 24 14:36:49 2011
@@ -19,9 +19,12 @@
package org.apache.rave.portal.web.controller.admin;
+import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.rave.portal.web.model.NavigationItem;
import org.apache.rave.portal.web.model.NavigationMenu;
import org.springframework.ui.Model;
+import org.springframework.web.bind.support.SessionStatus;
/**
* Util class for the admin controllers
@@ -29,10 +32,22 @@ import org.springframework.ui.Model;
public final class AdminControllerUtil {
public static final int DEFAULT_PAGE_SIZE = 10;
+ private static final int TOKEN_LENGTH = 256;
private AdminControllerUtil() {
}
+ static String generateSessionToken() {
+ return RandomStringUtils.randomAlphanumeric(TOKEN_LENGTH);
+ }
+
+ public static void checkTokens(String sessionToken, String token, SessionStatus status) {
+ if (StringUtils.length(sessionToken) != TOKEN_LENGTH || !(sessionToken.equals(token))) {
+ status.setComplete();
+ throw new SecurityException("Token does not match");
+ }
+ }
+
static void addNavigationMenusToModel(String selectedItem, Model model) {
final NavigationMenu topMenu = getTopMenu();
model.addAttribute(topMenu.getName(), topMenu);
Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java Mon Oct 24 14:36:49 2011
@@ -19,6 +19,7 @@
package org.apache.rave.portal.web.controller.admin;
+import org.apache.commons.lang.RandomStringUtils;
import org.apache.rave.portal.model.Authority;
import org.apache.rave.portal.model.User;
import org.apache.rave.portal.model.util.SearchResult;
@@ -39,15 +40,15 @@ import org.springframework.web.bind.anno
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
+import org.springframework.web.bind.support.SessionStatus;
import java.beans.PropertyEditorSupport;
-import java.security.Principal;
/**
* Admin controller to manipulate User data
*/
@Controller
-@SessionAttributes({"user"})
+@SessionAttributes({"user", ModelKeys.TOKENCHECK})
public class UserController {
private static final String SELECTED_ITEM = "users";
@@ -62,8 +63,9 @@ public class UserController {
private UserProfileValidator userProfileValidator;
@InitBinder
- public void initBinder(WebDataBinder b) {
- b.registerCustomEditor(Authority.class, new AuthorityEditor());
+ public void initBinder(WebDataBinder dataBinder) {
+ dataBinder.registerCustomEditor(Authority.class, new AuthorityEditor());
+ dataBinder.setDisallowedFields("entityId", "username", "password", "confirmPassword");
}
@RequestMapping(value = "/admin/users", method = RequestMethod.GET)
@@ -86,22 +88,25 @@ public class UserController {
}
@RequestMapping(value = "/admin/userdetail/{userid}", method = RequestMethod.GET)
- public String viewUserDetail(@PathVariable("userid") Long userid, Model model, Principal principal) {
+ public String viewUserDetail(@PathVariable("userid") Long userid, Model model) {
AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
model.addAttribute(userService.getUserById(userid));
- model.addAttribute("loggedInUser", principal.getName());
+ model.addAttribute(ModelKeys.TOKENCHECK, AdminControllerUtil.generateSessionToken());
return ViewNames.ADMIN_USERDETAIL;
}
@RequestMapping(value = "/admin/userdetail/update", method = RequestMethod.POST)
public String updateUserDetail(@ModelAttribute("user") User user, BindingResult result,
- Model model, Principal principal) {
+ @ModelAttribute(ModelKeys.TOKENCHECK) String sessionToken,
+ @RequestParam() String token,
+ SessionStatus status) {
+ AdminControllerUtil.checkTokens(sessionToken, token, status);
userProfileValidator.validate(user, result);
if (result.hasErrors()) {
- model.addAttribute("loggedInUser", principal.getName());
return ViewNames.ADMIN_USERDETAIL;
}
userService.updateUserProfile(user);
+ status.setComplete();
return "redirect:" + user.getEntityId();
}
@@ -110,6 +115,11 @@ public class UserController {
return authorityService.getAllAuthorities();
}
+ @ModelAttribute("loggedInUser")
+ public String populateLoggedInUsername() {
+ return userService.getAuthenticatedUser().getUsername();
+ }
+
// setters for unit tests
void setUserService(UserService userService) {
this.userService = userService;
@@ -123,6 +133,11 @@ public class UserController {
this.userProfileValidator = userProfileValidator;
}
+ private String getRandomToken() {
+ return RandomStringUtils.randomAlphanumeric(256);
+ }
+
+
/**
* Mapping between the submitted form value and an {@link Authority}
*/
Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java Mon Oct 24 14:36:49 2011
@@ -30,12 +30,15 @@ import org.springframework.beans.factory
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
+import org.springframework.web.bind.support.SessionStatus;
import static org.apache.rave.portal.model.WidgetStatus.values;
@@ -43,7 +46,7 @@ import static org.apache.rave.portal.mod
* Admin controller to manipulate Widget data
*/
@Controller
-@SessionAttributes({"widget"})
+@SessionAttributes({ModelKeys.WIDGET, ModelKeys.TOKENCHECK})
public class WidgetController {
private static final String SELECTED_ITEM = "widgets";
@@ -54,6 +57,11 @@ public class WidgetController {
@Autowired
private NewWidgetValidator widgetValidator;
+ @InitBinder
+ public void initBinder(WebDataBinder dataBinder) {
+ dataBinder.setDisallowedFields("entityId");
+ }
+
@RequestMapping(value = "/admin/widgets", method = RequestMethod.GET)
public String viewWidgets(@RequestParam(required = false, defaultValue = "0") int offset, Model model) {
AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
@@ -67,16 +75,22 @@ public class WidgetController {
public String viewWidgetDetail(@PathVariable("widgetid") Long widgetid, Model model) {
AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
model.addAttribute(widgetService.getWidget(widgetid));
+ model.addAttribute(ModelKeys.TOKENCHECK, AdminControllerUtil.generateSessionToken());
return ViewNames.ADMIN_WIDGETDETAIL;
}
@RequestMapping(value = "/admin/widgetdetail/update", method = RequestMethod.POST)
- public String updateWidgetDetail(@ModelAttribute("widget") Widget widget, BindingResult result) {
+ public String updateWidgetDetail(@ModelAttribute(ModelKeys.WIDGET) Widget widget, BindingResult result,
+ @ModelAttribute(ModelKeys.TOKENCHECK) String sessionToken,
+ @RequestParam() String token,
+ SessionStatus status) {
+ AdminControllerUtil.checkTokens(sessionToken, token, status);
widgetValidator.validate(widget, result);
if (result.hasErrors()) {
return ViewNames.ADMIN_WIDGETDETAIL;
}
widgetService.updateWidget(widget);
+ status.setComplete();
return "redirect:" + widget.getEntityId();
}
@@ -85,9 +99,7 @@ public class WidgetController {
return values();
}
-
// setters for unit tests
-
void setWidgetService(WidgetService widgetService) {
this.widgetService = widgetService;
}
@@ -95,4 +107,5 @@ public class WidgetController {
void setWidgetValidator(NewWidgetValidator widgetValidator) {
this.widgetValidator = widgetValidator;
}
+
}
Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java Mon Oct 24 14:36:49 2011
@@ -36,4 +36,5 @@ public class ModelKeys {
public static final String SEARCH_TERM = "searchTerm";
public static final String OFFSET = "offset";
public static final String SEARCHRESULT = "searchResult";
+ public static final String TOKENCHECK = "tokencheck";
}
\ No newline at end of file
Added: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java?rev=1188156&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java (added)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java Mon Oct 24 14:36:49 2011
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.web.controller.admin;
+
+import org.junit.Test;
+import org.springframework.web.bind.support.SessionStatus;
+
+import static junit.framework.Assert.assertTrue;
+import static org.easymock.EasyMock.createMock;
+
+/**
+ * Test for {@link AdminControllerUtil}
+ */
+public class AdminControllerUtilTest {
+
+ @Test
+ public void checkTokens_valid() throws Exception {
+ String token = AdminControllerUtil.generateSessionToken();
+ SessionStatus status = createMock(SessionStatus.class);
+ AdminControllerUtil.checkTokens(token, token, status);
+ assertTrue("No errors", true);
+ }
+
+ @Test(expected = SecurityException.class)
+ public void checkTokens_invalidLength() throws Exception {
+ String token = "token";
+ SessionStatus status = createMock(SessionStatus.class);
+ AdminControllerUtil.checkTokens(token, token, status);
+ assertTrue("Exception occurred", false);
+ }
+
+ @Test(expected = SecurityException.class)
+ public void checkTokens_invalidNoMatch() throws Exception {
+ String token1 = AdminControllerUtil.generateSessionToken();
+ String token2 = AdminControllerUtil.generateSessionToken();
+ SessionStatus status = createMock(SessionStatus.class);
+ AdminControllerUtil.checkTokens(token1, token2, status);
+ assertTrue("Exception occurred", false);
+ }
+}
Modified: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java Mon Oct 24 14:36:49 2011
@@ -33,8 +33,8 @@ import org.springframework.ui.ExtendedMo
import org.springframework.ui.Model;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.support.SessionStatus;
-import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
@@ -57,6 +57,7 @@ public class UserControllerTest {
private UserController controller;
private UserService userService;
private AuthorityService authorityService;
+ private String validToken;
@Test
public void adminUsers() throws Exception {
@@ -99,25 +100,21 @@ public class UserControllerTest {
Model model = new ExtendedModelMap();
Long userid = 123L;
User user = new User(userid, "john.doe.sr");
- Principal principal = createMock(Principal.class);
- expect(principal.getName()).andReturn("canonical");
expect(userService.getUserById(userid)).andReturn(user);
- replay(userService, principal);
+ replay(userService);
- String adminUserDetailView = controller.viewUserDetail(userid, model, principal);
- verify(userService, principal);
+ String adminUserDetailView = controller.viewUserDetail(userid, model);
+ verify(userService);
assertEquals(ViewNames.ADMIN_USERDETAIL, adminUserDetailView);
assertTrue(model.containsAttribute(TABS));
assertEquals(user, model.asMap().get("user"));
- assertEquals("canonical", model.asMap().get("loggedInUser"));
}
@Test
public void updateUserDetail_success() {
- Model model = new ExtendedModelMap();
final Long userid = 123L;
final String email = "john.doe.sr@example.net";
User user = new User(userid, "john.doe.sr");
@@ -126,15 +123,16 @@ public class UserControllerTest {
user.setEmail(email);
final BindingResult errors = new BeanPropertyBindingResult(user, "user");
- Principal principal = createMock(Principal.class);
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
expect(userService.getUserByEmail(email)).andReturn(user);
userService.updateUserProfile(user);
+ sessionStatus.setComplete();
expectLastCall();
- replay(userService);
+ replay(userService, sessionStatus);
- final String view = controller.updateUserDetail(user, errors, model, principal);
- verify(userService);
+ final String view = controller.updateUserDetail(user, errors, validToken, validToken, sessionStatus);
+ verify(userService, sessionStatus);
assertFalse(errors.hasErrors());
assertEquals("redirect:" + userid, view);
@@ -142,21 +140,38 @@ public class UserControllerTest {
@Test
public void updateUserDetail_withErrors() {
- Model model = new ExtendedModelMap();
Long userid = 123L;
User user = new User(userid, "john.doe.sr");
final BindingResult errors = new BeanPropertyBindingResult(user, "user");
- Principal principal = createMock(Principal.class);
- expect(principal.getName()).andReturn("canonical");
- replay(principal);
- final String view = controller.updateUserDetail(user, errors, model, principal);
- verify(principal);
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
+ replay(sessionStatus);
+ final String view = controller.updateUserDetail(user, errors, validToken, validToken, sessionStatus);
+ verify(sessionStatus);
assertTrue(errors.hasErrors());
assertEquals(ViewNames.ADMIN_USERDETAIL, view);
}
+ @Test(expected = SecurityException.class)
+ public void updateUserDetail_wrongToken() {
+ User user = new User(123L, "john.doe.sr");
+ final BindingResult errors = new BeanPropertyBindingResult(user, "user");
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
+ sessionStatus.setComplete();
+
+ expectLastCall();
+ replay(sessionStatus);
+
+ String otherToken = AdminControllerUtil.generateSessionToken();
+
+ controller.updateUserDetail(user, errors, validToken, otherToken, sessionStatus);
+ verify(sessionStatus);
+
+ assertFalse("SecurityException", true);
+
+ }
+
@Test
public void getAuthoritiesForModelMap() {
final SearchResult<Authority> authorities = createSearchResultWithTwoAuthorities();
@@ -179,6 +194,7 @@ public class UserControllerTest {
UserProfileValidator userProfileValidator = new UserProfileValidator(userService);
controller.setUserProfileValidator(userProfileValidator);
+ validToken = AdminControllerUtil.generateSessionToken();
}
Modified: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java (original)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java Mon Oct 24 14:36:49 2011
@@ -31,6 +31,7 @@ import org.springframework.ui.ExtendedMo
import org.springframework.ui.Model;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.support.SessionStatus;
import java.util.ArrayList;
import java.util.List;
@@ -56,6 +57,7 @@ public class WidgetControllerTest {
private WidgetController controller;
private WidgetService service;
private NewWidgetValidator validator;
+ private String validToken;
@Test
public void adminWidgets() throws Exception {
@@ -95,24 +97,45 @@ public class WidgetControllerTest {
widget.setTitle("Widget title");
widget.setType("OpenSocial");
BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
service.updateWidget(widget);
+ sessionStatus.setComplete();
expectLastCall();
- replay(service);
- String view = controller.updateWidgetDetail(widget, errors);
- verify(service);
+ replay(service, sessionStatus);
+ String view = controller.updateWidgetDetail(widget, errors, validToken, validToken, sessionStatus);
+ verify(service, sessionStatus);
assertFalse("No errors", errors.hasErrors());
assertEquals("redirect:123", view);
}
+ @Test(expected = SecurityException.class)
+ public void updateWidget_wrongToken() {
+ Widget widget = new Widget();
+ BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
+
+ sessionStatus.setComplete();
+ expectLastCall();
+ replay(sessionStatus);
+
+ String otherToken = AdminControllerUtil.generateSessionToken();
+
+ controller.updateWidgetDetail(widget, errors, "sessionToken", otherToken, sessionStatus);
+
+ verify(sessionStatus);
+ assertFalse("Can't come here", true);
+ }
+
@Test
public void updateWidget_invalid() {
Widget widget = new Widget(123L, "http://broken/url");
BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+ SessionStatus sessionStatus = createMock(SessionStatus.class);
- String view = controller.updateWidgetDetail(widget, errors);
+ String view = controller.updateWidgetDetail(widget, errors, validToken, validToken, sessionStatus);
assertTrue("Errors", errors.hasErrors());
assertEquals(ViewNames.ADMIN_WIDGETDETAIL, view);
@@ -126,6 +149,7 @@ public class WidgetControllerTest {
controller.setWidgetService(service);
validator = new NewWidgetValidator();
controller.setWidgetValidator(validator);
+ validToken = AdminControllerUtil.generateSessionToken();
}
Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp (original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp Mon Oct 24 14:36:49 2011
@@ -50,6 +50,7 @@
<form:form id="updateUserProfile" action="update" commandName="user" method="POST">
<form:errors cssClass="error" element="p"/>
<fieldset>
+ <input type="hidden" name="token" value="<c:out value="${tokencheck}"/>"/>
<p>
<label for="email"><fmt:message key="page.general.email"/></label>
<spring:bind path="email">
Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp (original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp Mon Oct 24 14:36:49 2011
@@ -64,6 +64,7 @@
<form:form id="updateWidget" action="update" commandName="widget" method="POST">
<form:errors cssClass="error" element="p"/>
<fieldset>
+ <input type="hidden" name="token" value="<c:out value="${tokencheck}"/>"/>
<p><fmt:message key="form.some.fields.required"/></p>
<p>