Activate CSRF protection.

Now POST method is used for logging out from site.

@see http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf

Fix #25

Author: php-coder

src/main/config/checkstyle-suppressions.xml

@@ -5,11 +5,12 @@
 
 <suppressions>
 
+	<suppress checks="LineLength" files="AbstractPage.java" lines="44,45" />
 	<suppress checks="LineLength" files="AbstractPageWithForm.java" lines="27,28,33" />
 	<suppress checks="LineLength" files="Form.java" lines="31,32,37" />
 	<suppress checks="LineLength" files="Url.java" lines="73" />
 	<suppress checks="LineLength" files="ErrorController.java" lines="73" />
-	<suppress checks="LineLength" files="SecurityConfig.java" lines="35,36,40" />
+	<suppress checks="LineLength" files="SecurityConfig.java" lines="35,36,39,40" />
 
 	<!-- false positives due to Lombok usage -->
 	<suppress checks="HideUtilityClassConstructor" files="ru.mystamps.web.model" />

src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java

@@ -36,15 +36,15 @@
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
 import org.springframework.security.core.userdetails.UserDetailsService;
 
 import ru.mystamps.web.config.ServicesConfig;
 import ru.mystamps.web.Url;
 
 @Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
@@ -95,9 +95,6 @@ protected void configure(HttpSecurity http) throws Exception {
 			.rememberMe()
 				// TODO: GH #27
 				.disable()
-			.csrf()
-				// TODO: GH #25
-				.disable()
 			.headers()
 				// TODO
 				.disable();

src/main/webapp/WEB-INF/static/styles/main.css

@@ -58,3 +58,12 @@ label {
 .top-indent {
 	padding-top: 20px;
 }
+
+.no-margin {
+	margin: 0px;
+}
+
+.no-padding {
+	padding: 0px;
+}
+

src/main/webapp/WEB-INF/views/account/activate.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/account/auth.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/account/register.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/category/add.html

@@ -36,8 +36,9 @@
 					</li>
 					/*/-->
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					<!--/*/
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/category/info.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/collection/info.html

@@ -36,8 +36,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/country/add.html

@@ -36,8 +36,9 @@
 					</li>
 					/*/-->
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					<!--/*/
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/country/info.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/error/401.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/error/404.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/error/500.html

@@ -37,8 +37,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/series/add.html

@@ -36,8 +36,9 @@
 					</li>
 					/*/-->
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					<!--/*/
 					<li sec:authorize="isAnonymous()">
@@ -62,7 +63,7 @@ <h3 th:text="#{t_add_series_ucfirst}">
 				</div>
 
 				<div class="span6 offset3">
-					<form method="post" enctype="multipart/form-data" class="form-horizontal" action="info.html" th:action="@{${ADD_SERIES_PAGE}}" th:object="${addSeriesForm}">
+					<form method="post" enctype="multipart/form-data" class="form-horizontal" action="info.html" th:action="@{${ADD_SERIES_PAGE}} + '?' + ${_csrf.parameterName} + '=' + ${_csrf.token}" th:object="${addSeriesForm}">
 
 						<div class="control-group" th:classappend="${#fields.hasErrors('category') ? 'error' : ''}">
 							<label for="category" class="control-label">

src/main/webapp/WEB-INF/views/series/info.html

@@ -35,8 +35,9 @@
 					</li>
 					/*/-->
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					<!--/*/
 					<li sec:authorize="isAnonymous()">

src/main/webapp/WEB-INF/views/site/index.html

@@ -36,8 +36,9 @@
 					</li>
 					<!--/*/
 					<li sec:authorize="isAuthenticated()">
-						<i class="icon-share"></i>
-						<a href="../site/index.html" th:href="@{${LOGOUT_PAGE}}" th:text="#{t_logout}">Sign out</a>
+						<form id="LogoutForm" method="get" action="../site/index.html" class="no-margin" th:method="post" th:action="@{${LOGOUT_PAGE}}">
+							<i class="icon-share"></i>&nbsp;<input type="submit" value="Sign out" class="btn btn-link no-padding" th:value="#{t_logout}" />
+						</form>
 					</li>
 					/*/-->
 					<li sec:authorize="isAnonymous()">

src/test/java/ru/mystamps/web/tests/WebElementUtils.java

@@ -35,7 +35,15 @@ public static List<String> convertToListWithText(List<WebElement> elements) {
 
 		List<String> result = new ArrayList<>(elements.size());
 		for (WebElement el : elements) {
-			result.add(el.getText());
+			String text = null;
+			if ("input".equals(el.getTagName())) {
+				text = el.getAttribute("value");
+			} else {
+				text = el.getText();
+			}
+			if (text != null) {
+				result.add(text);
+			}
 		}
 
 		return result;

src/test/java/ru/mystamps/web/tests/cases/WhenUserLogsOut.java

@@ -23,11 +23,11 @@
 import static org.fest.assertions.api.Assertions.assertThat;
 
 import ru.mystamps.web.Url;
-import ru.mystamps.web.tests.page.LogoutAccountPage;
+import ru.mystamps.web.tests.page.IndexSitePage;
 
 import static ru.mystamps.web.tests.TranslationUtils.tr;
 
-public class WhenUserLogsOut extends WhenAnyUserAtAnyPage<LogoutAccountPage> {
+public class WhenUserLogsOut extends WhenAnyUserAtAnyPage<IndexSitePage> {
 
 	@Value("${valid_user_login}")
 	private String validUserLogin;
@@ -36,13 +36,13 @@ public class WhenUserLogsOut extends WhenAnyUserAtAnyPage<LogoutAccountPage> {
 	private String validUserPassword;
 
 	public WhenUserLogsOut() {
-		super(LogoutAccountPage.class);
+		super(IndexSitePage.class);
 	}
 
 	@Test(groups = "logic")
 	public void shouldRedirectAndClearSession() {
 		page.login(validUserLogin, validUserPassword);
-		page.open();
+		page.logout();
 
 		assertThat(page.getCurrentUrl())
 			.overridingErrorMessage("after logout we should be redirected to main page")

src/test/java/ru/mystamps/web/tests/page/AbstractPage.java

@@ -41,6 +41,8 @@
 public abstract class AbstractPage {
 
 	private static final String A_HREF_LOCATOR = "//a[@href=\"%s\"]";
+	private static final String LOGOUT_BUTTON_LOCATOR = "//form[@id=\"LogoutForm\"]/input[@type=\"submit\"]";
+	private static final String USER_BAR_ENTRIES_LOCATOR = "//*[@id=\"user_bar\"]//li/a | //*[@id=\"user_bar\"]//li//input[not(@type=\"hidden\")]";
 
 	protected final WebDriver driver;
 	private final String pageUrl;
@@ -118,8 +120,7 @@ public boolean userBarExists() {
 	}
 
 	public List<String> getUserBarEntries() {
-		WebElement userBar       = getElementById("user_bar");
-		List<WebElement> entries = userBar.findElements(By.tagName("li"));
+		List<WebElement> entries = getElementsByXPath(USER_BAR_ENTRIES_LOCATOR);
 		return WebElementUtils.convertToListWithText(entries);
 	}
 
@@ -182,6 +183,10 @@ protected List<WebElement> getElementsByClassName(String className) {
 		return driver.findElements(By.className(className));
 	}
 
+	protected List<WebElement> getElementsByXPath(String xpath) {
+		return driver.findElements(By.xpath(xpath));
+	}
+	
 	//
 	// Helpers for getting element's value
 	//
@@ -243,8 +248,9 @@ public void login(String login, String password) {
 
 	public void logout() {
 		// TODO: check than we not authenticated and do nothing
-		LogoutAccountPage logoutPage = new LogoutAccountPage(driver);
-		logoutPage.open();
+		
+		WebElement logoutButton = getElementByXPath(LOGOUT_BUTTON_LOCATOR);
+		logoutButton.submit();
 
 		// return to current page
 		open();