Adding CSRF support

core/src/main/java/org/fao/geonet/security/web/csrf/CookieCsrfTokenRepository.java

@@ -0,0 +1,199 @@
+/*
+ * Taken from https://raw.githubusercontent.com/spring-projects/spring-security/master/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
+ */
+
+package org.fao.geonet.security.web.csrf;
+
+import java.lang.reflect.Method;
+import java.util.UUID;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.DefaultCsrfToken;
+import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.WebUtils;
+
+/**
+ * A {@link CsrfTokenRepository} that persists the CSRF token in a cookie named
+ * "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the
+ * conventions of AngularJS. When using with AngularJS be sure to use
+ * {@link #withHttpOnlyFalse()}.
+ *
+ * @author Rob Winch
+ * @since 4.1
+ */
+public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
+  static final String DEFAULT_CSRF_COOKIE_NAME = "XSRF-TOKEN";
+
+  static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
+
+  static final String DEFAULT_CSRF_HEADER_NAME = "X-XSRF-TOKEN";
+
+  private String parameterName = DEFAULT_CSRF_PARAMETER_NAME;
+
+  private String headerName = DEFAULT_CSRF_HEADER_NAME;
+
+  private String cookieName = DEFAULT_CSRF_COOKIE_NAME;
+
+  private final Method setHttpOnlyMethod;
+
+  private boolean cookieHttpOnly;
+
+  private String cookiePath;
+
+  public CookieCsrfTokenRepository() {
+    this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
+    if (this.setHttpOnlyMethod != null) {
+      this.cookieHttpOnly = true;
+    }
+  }
+
+  @Override
+  public CsrfToken generateToken(HttpServletRequest request) {
+    return new DefaultCsrfToken(this.headerName, this.parameterName, createNewToken());
+  }
+
+  @Override
+  public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
+    String tokenValue = token == null ? "" : token.getToken();
+    Cookie cookie = new Cookie(this.cookieName, tokenValue);
+    cookie.setSecure(request.isSecure());
+    if (this.cookiePath != null && !this.cookiePath.isEmpty()) {
+      cookie.setPath(this.cookiePath);
+    } else {
+      cookie.setPath(this.getRequestContext(request));
+    }
+    if (token == null) {
+      cookie.setMaxAge(0);
+    } else {
+      cookie.setMaxAge(-1);
+    }
+    if (cookieHttpOnly && setHttpOnlyMethod != null) {
+      ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
+    }
+
+    response.addCookie(cookie);
+  }
+
+  @Override
+  public CsrfToken loadToken(HttpServletRequest request) {
+    Cookie cookie = WebUtils.getCookie(request, this.cookieName);
+    if (cookie == null) {
+      return null;
+    }
+    String token = cookie.getValue();
+    if (!StringUtils.hasLength(token)) {
+      return null;
+    }
+    return new DefaultCsrfToken(this.headerName, this.parameterName, token);
+  }
+
+  /**
+   * Sets the name of the HTTP request parameter that should be used to provide
+   * a token.
+   *
+   * @param parameterName
+   *          the name of the HTTP request parameter that should be used to
+   *          provide a token
+   */
+  public void setParameterName(String parameterName) {
+    Assert.notNull(parameterName, "parameterName is not null");
+    this.parameterName = parameterName;
+  }
+
+  /**
+   * Sets the name of the HTTP header that should be used to provide the token.
+   *
+   * @param headerName
+   *          the name of the HTTP header that should be used to provide the
+   *          token
+   */
+  public void setHeaderName(String headerName) {
+    Assert.notNull(headerName, "headerName is not null");
+    this.headerName = headerName;
+  }
+
+  /**
+   * Sets the name of the cookie that the expected CSRF token is saved to and
+   * read from.
+   *
+   * @param cookieName
+   *          the name of the cookie that the expected CSRF token is saved to
+   *          and read from
+   */
+  public void setCookieName(String cookieName) {
+    Assert.notNull(cookieName, "cookieName is not null");
+    this.cookieName = cookieName;
+  }
+
+  /**
+   * Sets the HttpOnly attribute on the cookie containing the CSRF token. The
+   * cookie will only be marked as HttpOnly if both <code>cookieHttpOnly</code>
+   * is <code>true</code> and the underlying version of Servlet is 3.0 or
+   * greater. Defaults to <code>true</code> if the underlying version of Servlet
+   * is 3.0 or greater. NOTE: The {@link Cookie#setHttpOnly(boolean)} was
+   * introduced in Servlet 3.0.
+   *
+   * @param cookieHttpOnly
+   *          <code>true</code> sets the HttpOnly attribute, <code>false</code>
+   *          does not set it (depending on Servlet version)
+   * @throws IllegalArgumentException
+   *           if <code>cookieHttpOnly</code> is <code>true</code> and the
+   *           underlying version of Servlet is less than 3.0
+   */
+  public void setCookieHttpOnly(boolean cookieHttpOnly) {
+    if (cookieHttpOnly && setHttpOnlyMethod == null) {
+      throw new IllegalArgumentException(
+          "Cookie will not be marked as HttpOnly because you are using a version of Servlet less than 3.0. NOTE: The Cookie#setHttpOnly(boolean) was introduced in Servlet 3.0.");
+    }
+    this.cookieHttpOnly = cookieHttpOnly;
+  }
+
+  private String getRequestContext(HttpServletRequest request) {
+    String contextPath = request.getContextPath();
+    return contextPath.length() > 0 ? contextPath : "/";
+  }
+
+  /**
+   * Factory method to conveniently create an instance that has
+   * {@link #setCookieHttpOnly(boolean)} set to false.
+   *
+   * @return an instance of CookieCsrfTokenRepository with
+   *         {@link #setCookieHttpOnly(boolean)} set to false
+   */
+  public static CookieCsrfTokenRepository withHttpOnlyFalse() {
+    CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
+    result.setCookieHttpOnly(false);
+    return result;
+  }
+
+  private String createNewToken() {
+    return UUID.randomUUID().toString();
+  }
+
+  /**
+   * Set the path that the Cookie will be created with. This will override the
+   * default functionality which uses the request context as the path.
+   *
+   * @param path
+   *          the path to use
+   */
+  public void setCookiePath(String path) {
+    this.cookiePath = path;
+  }
+
+  /**
+   * Get the path that the CSRF cookie will be set to.
+   *
+   * @return the path to be used.
+   */
+  public String getCookiePath() {
+    return this.cookiePath;
+  }
+}

web-ui/src/main/resources/catalog/components/admin/schematron/partials/criteria-viewer.html

@@ -19,6 +19,7 @@
   <div class="row" data-ng-show="editing">
         <form class="" role="form"
           data-ng-keyup="handleKeyUp($event.keyCode)">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
                 <div class="form-group col-sm-4">
         <select
           class="form-control"

web-ui/src/main/resources/catalog/components/common/map/print/partials/print.html

@@ -1,4 +1,5 @@
 <form class="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
   <div class="form-group">
     <label class="control-label"
            data-translate="">print_layout</label>

web-ui/src/main/resources/catalog/components/common/map/print/partials/printmap.html

@@ -1,4 +1,5 @@
 <form>
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
   <div class="form-group">
     <label class="control-label"
            data-translate="">mapTitle</label>

web-ui/src/main/resources/catalog/components/common/share/partials/panel.html

@@ -20,6 +20,7 @@ <h5 translate>whoCanAccess</h5>
 
   <form name="opsForm" id="opsForm"
         data-ng-class="{'gn-sharing-batch': batch}">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <table class="table table-striped" data-ng-show="privileges.length > 0">
       <thead>
       <tr>

web-ui/src/main/resources/catalog/components/contactus/partials/contactusform.html

@@ -1,4 +1,5 @@
 <form class="form-horizontal" role="form" id="gn-contact-us-form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
   <div class="form-group">
     <label class="col-sm-3 control-label" data-translate="">name</label>
     <div class="col-sm-9">

web-ui/src/main/resources/catalog/components/edit/geopublisher/partials/geopublisher.html

@@ -28,6 +28,7 @@
     <div class="panel-body">
       <!-- Header with projection selection, draw button and area list -->
       <form class="form" data-role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
         <div class="form-group" class="col-sm-12 inline">
           <div class="btn-toolbar">
             <button class="btn btn-lin btn-xs"

web-ui/src/main/resources/catalog/components/edit/onlinesrc/partials/addOnlinesrc.html

@@ -6,6 +6,7 @@
             class="form-horizontal"
             role="form"
             method="POST">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
         <div class="onlinesrc-container">
 
           <div data-ng-show="config.types.length > 1 && config.display == 'radio'">
@@ -221,6 +222,7 @@
         <div class="panel-body">
           <form class="form-horizontal" role="form"
                 data-ng-search-form="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
             <div class="input-group">
               <span class="input-group-addon">
                 <i class="fa fa-search"/>

web-ui/src/main/resources/catalog/components/edit/onlinesrc/partials/linkServiceToDataset.html

@@ -1,6 +1,7 @@
 <div>
   <form class="form-horizontal" role="form"
         data-ng-search-form="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="onlinesrc-container">
       <div class="form-group">
         <div class="col-sm-10">

web-ui/src/main/resources/catalog/components/edit/onlinesrc/partials/linkToMd.html

@@ -1,6 +1,7 @@
 <div>
   <form class="form-horizontal" role="form"
         data-ng-search-form="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="onlinesrc-container">
       <div class="form-group">
         <div class="col-sm-10">

web-ui/src/main/resources/catalog/components/edit/onlinesrc/partials/linktosibling.html

@@ -1,6 +1,7 @@
 <div>
   <form class="form-horizontal" role="form"
         data-ng-search-form="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="onlinesrc-container">
 
       <div class="form-group">

web-ui/src/main/resources/catalog/components/edit/suggestion/partials/runprocess.html

@@ -1,6 +1,7 @@
 <div>
   <div class="alert alert-info">{{currentSuggestion.name}}</div>
   <form class="form-horizontal" role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="form-group" data-ng-repeat="(key,param) in processParams">
       <label
         data-ng-if="param.type == 'string' || param.type == 'expression' || param.type == 'codelist'"

web-ui/src/main/resources/catalog/components/mdFeedback/partials/mdFeedback.html

@@ -21,6 +21,7 @@ <h3>
               name="gnFeedbackForm"
               data-ng-submit="send(gnFeedbackForm, '#gn-contact-md-form')"
               id="gn-contact-md-form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
           <div class="modal-body">
             <div data-ng-if="!success">
               <div class="">

web-ui/src/main/resources/catalog/components/metadataactions/partials/statusupdater.html

@@ -1,4 +1,5 @@
 <form name="myForm">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
   <div class="row">
     <div class="col-md-4">
       <!-- TODO: Status are disabled based on profiles and

web-ui/src/main/resources/catalog/components/viewer/draw/partials/styleform.html

@@ -1,4 +1,5 @@
 <form role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
 
   <!--Point-->
   <div data-ng-if="getType() == 'point'">

web-ui/src/main/resources/catalog/components/viewer/ncwms/partials/ncwmstools.html

@@ -1,5 +1,6 @@
 <div class="panel-body panel-ncwms">
   <form class="form-horizontal" role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
 
     <!--Scales-->
     <div class="form-group">

web-ui/src/main/resources/catalog/components/viewer/owscontext/partials/owscontext.html

@@ -24,6 +24,7 @@
   <fieldset data-ng-if="isSaveMapInCatalogAllowed && user.isEditorOrMore()">
     <legend data-translate="">saveMapInCatalog</legend>
     <form>
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
       <div class="form-group">
         <label for="mapTitle"
                data-translate="">mapTitle</label>

web-ui/src/main/resources/catalog/components/viewer/searchlayerformap/partials/searchlayerformap.html

@@ -1,5 +1,6 @@
 <div>
   <form role="form" data-ng-search-form="">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="form-group">
       <div class="input-group">
         <span class="input-group-addon"><i

web-ui/src/main/resources/catalog/components/viewer/wfs/partials/processform.html

@@ -9,6 +9,7 @@ <h4><span translate>wpsLoadingProcessDescription</span></h4>
 
     <div ng-switch-when="loaded">
       <form>
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
         <h5>{{::title}}</h5>
         <div ng-repeat="input in inputs" class="form-group"
              ng-class="{'gn-required': input.required}">

web-ui/src/main/resources/catalog/components/viewer/wfsfilter/partials/wfsfilterfacet.html

@@ -1,4 +1,5 @@
 <form name="wfsFilterForm">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
 
   <!--WFS not available alert-->
   <div data-ng-show="isWfsAvailable == false" class="alert alert-warning">

web-ui/src/main/resources/catalog/components/viewer/wmsimport/partials/kmlimport.html

@@ -1,5 +1,6 @@
 <div>
   <form class="ng-pristine ng-valid" role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="form-group" data-ng-class="{'has-error' : !validUrl}">
 
       <!--File URL-->

web-ui/src/main/resources/catalog/components/viewer/wmsimport/partials/wmsimport.html

@@ -1,5 +1,6 @@
 <div class="layerTree">
   <form role="form">
+              <input type="hidden" name="_csrf" value="{{csrf}}"/>
     <div class="form-group">
       <div data-ng-show="catServicesList.length > 0">
         <div class="dropdown">

web-ui/src/main/resources/catalog/js/CatController.js

@@ -91,11 +91,11 @@
     '$scope', '$http', '$q', '$rootScope', '$translate',
     'gnSearchManagerService', 'gnConfigService', 'gnConfig',
     'gnGlobalSettings', '$location', 'gnUtilityService', 'gnSessionService',
-    'gnLangs', 'gnAdminMenu',
+    'gnLangs', 'gnAdminMenu', '$cookies',
     function($scope, $http, $q, $rootScope, $translate,
             gnSearchManagerService, gnConfigService, gnConfig,
             gnGlobalSettings, $location, gnUtilityService, gnSessionService,
-            gnLangs, gnAdminMenu) {
+            gnLangs, gnAdminMenu, $cookies) {
       $scope.version = '0.0.1';
       //Display or not the admin menu
       if ($location.absUrl().indexOf('/admin.console') != -1) {
@@ -140,6 +140,18 @@
       $scope.layout = {
         hideTopToolBar: false
       };
+
+      /**
+       * CSRF support
+       */
+
+      //Comment the following lines if you want to remove csrf support
+      $http.defaults.xsrfHeaderName = 'X-XSRF-TOKEN';
+      $http.defaults.xsrfCookieName = 'XSRF-TOKEN';
+      $scope.$watch(function() { return $cookies.get('XSRF-TOKEN'); }, function(value){
+        $rootScope.csrf=value;
+      }) ;
+      //Comment the upper lines if you want to remove csrf support
 
       /**
        * Number of selected metadata records.