fixed issuer on login page, added CSRF to login / logout, closes mitreid-connect#870, closes mitreid-connect#824, closes mitreid-connect#875

Author: jricher

openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag

@@ -89,7 +89,7 @@
 <ul class="dropdown-menu pull-right">
 <li><a href="manage/#user/profile" data-toggle="collapse" data-target=".nav-collapse">${ longName }</a></li>
 <li class="divider"></li>
-<li><a href="logout" data-toggle="collapse" data-target=".nav-collapse"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
+<li><a href="" data-toggle="collapse" data-target=".nav-collapse" class="logoutLink"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
 </ul>
 </li>
  </security:authorize>
@@ -105,17 +105,29 @@
  <security:authorize access="hasRole('ROLE_USER')">
 <li><a href="manage/#user/profile">${ longName }</a></li>
 <li class="divider"></li>
-<li><a href="logout"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
+<li><a href="" class="logoutLink"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
  </security:authorize>
  <security:authorize access="!hasRole('ROLE_USER')">
  <li>
 	<a href="login" data-toggle="collapse" data-target=".nav-collapse"><i class="icon-lock"></i> <spring:message code="topbar.login"/></a>
  </li>
  </security:authorize>
  </ul>
- 
+ <form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }logout" method="POST" class="hidden" id="logoutForm">
+<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+</form>
+ 
  </div><!--/.nav-collapse -->
 </c:if>
  </div>
  </div>
 </div>
+
+<script type="text/javascript">
+$(document).ready(function() {
+$('.logoutLink').on('click', function(e) {
+e.preventDefault();
+$('#logoutForm').submit();
+});
+});
+</script>

openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -37,10 +37,6 @@
 
 <mvc:view-controller path="/login" view-name="login" />
 
-<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
-<security:intercept-url pattern="/login**" access="permitAll"/>
-</security:http>
-
 <security:http disable-url-rewriting="true" use-expressions="true"> 
 <security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 <security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
@@ -52,6 +48,7 @@
 <security:headers>
 <security:frame-options policy="DENY" />
 </security:headers>
+<security:csrf />
 </security:http>
 
 </beans>

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/login.jsp

@@ -26,8 +26,7 @@ $(document).ready(function() {
 
 <div class="row-fluid">
 <div class="span6 offset1 well">
-<form action="<%=request.getContextPath()%>/j_spring_security_check"
-method="POST">
+<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }j_spring_security_check" method="POST">
 <div>
 <div class="input-prepend input-block-level">
 <span class="add-on"><i class="icon-user"></i></span>
@@ -41,6 +40,7 @@ $(document).ready(function() {
 </div>
 </div>
 <div>
+<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
 <input type="submit" class="btn" value="Login" name="submit">
 </div>
 </form>