rave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ja...@apache.org
Subject svn commit: r1188156 - in /incubator/rave/trunk: rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/ rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ rave-components/rave-web/src/test/java/org/apac...
Date Mon, 24 Oct 2011 14:36:50 GMT
Author: jasha
Date: Mon Oct 24 14:36:49 2011
New Revision: 1188156

URL: http://svn.apache.org/viewvc?rev=1188156&view=rev
Log:
RAVE-300 RAVE-301 restrict fields that can be updated. Check if session token matches submitted
token to prevent CSRF

Added:
    incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
Modified:
    incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
    incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
    incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
    incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
    incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
    incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
    incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
    incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp

Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtil.java
Mon Oct 24 14:36:49 2011
@@ -19,9 +19,12 @@
 
 package org.apache.rave.portal.web.controller.admin;
 
+import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang.StringUtils;
 import org.apache.rave.portal.web.model.NavigationItem;
 import org.apache.rave.portal.web.model.NavigationMenu;
 import org.springframework.ui.Model;
+import org.springframework.web.bind.support.SessionStatus;
 
 /**
  * Util class for the admin controllers
@@ -29,10 +32,22 @@ import org.springframework.ui.Model;
 public final class AdminControllerUtil {
 
     public static final int DEFAULT_PAGE_SIZE = 10;
+    private static final int TOKEN_LENGTH = 256;
 
     private AdminControllerUtil() {
     }
 
+    static String generateSessionToken() {
+        return RandomStringUtils.randomAlphanumeric(TOKEN_LENGTH);
+    }
+
+    public static void checkTokens(String sessionToken, String token, SessionStatus status)
{
+        if (StringUtils.length(sessionToken) != TOKEN_LENGTH || !(sessionToken.equals(token)))
{
+            status.setComplete();
+            throw new SecurityException("Token does not match");
+        }
+    }
+
     static void addNavigationMenusToModel(String selectedItem, Model model) {
         final NavigationMenu topMenu = getTopMenu();
         model.addAttribute(topMenu.getName(), topMenu);

Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/UserController.java
Mon Oct 24 14:36:49 2011
@@ -19,6 +19,7 @@
 
 package org.apache.rave.portal.web.controller.admin;
 
+import org.apache.commons.lang.RandomStringUtils;
 import org.apache.rave.portal.model.Authority;
 import org.apache.rave.portal.model.User;
 import org.apache.rave.portal.model.util.SearchResult;
@@ -39,15 +40,15 @@ import org.springframework.web.bind.anno
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.SessionAttributes;
+import org.springframework.web.bind.support.SessionStatus;
 
 import java.beans.PropertyEditorSupport;
-import java.security.Principal;
 
 /**
  * Admin controller to manipulate User data
  */
 @Controller
-@SessionAttributes({"user"})
+@SessionAttributes({"user", ModelKeys.TOKENCHECK})
 public class UserController {
 
     private static final String SELECTED_ITEM = "users";
@@ -62,8 +63,9 @@ public class UserController {
     private UserProfileValidator userProfileValidator;
 
     @InitBinder
-    public void initBinder(WebDataBinder b) {
-        b.registerCustomEditor(Authority.class, new AuthorityEditor());
+    public void initBinder(WebDataBinder dataBinder) {
+        dataBinder.registerCustomEditor(Authority.class, new AuthorityEditor());
+        dataBinder.setDisallowedFields("entityId", "username", "password", "confirmPassword");
     }
 
     @RequestMapping(value = "/admin/users", method = RequestMethod.GET)
@@ -86,22 +88,25 @@ public class UserController {
     }
 
     @RequestMapping(value = "/admin/userdetail/{userid}", method = RequestMethod.GET)
-    public String viewUserDetail(@PathVariable("userid") Long userid, Model model, Principal
principal) {
+    public String viewUserDetail(@PathVariable("userid") Long userid, Model model) {
         AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
         model.addAttribute(userService.getUserById(userid));
-        model.addAttribute("loggedInUser", principal.getName());
+        model.addAttribute(ModelKeys.TOKENCHECK, AdminControllerUtil.generateSessionToken());
         return ViewNames.ADMIN_USERDETAIL;
     }
 
     @RequestMapping(value = "/admin/userdetail/update", method = RequestMethod.POST)
     public String updateUserDetail(@ModelAttribute("user") User user, BindingResult result,
-                                   Model model, Principal principal) {
+                                   @ModelAttribute(ModelKeys.TOKENCHECK) String sessionToken,
+                                   @RequestParam() String token,
+                                   SessionStatus status) {
+        AdminControllerUtil.checkTokens(sessionToken, token, status);
         userProfileValidator.validate(user, result);
         if (result.hasErrors()) {
-            model.addAttribute("loggedInUser", principal.getName());
             return ViewNames.ADMIN_USERDETAIL;
         }
         userService.updateUserProfile(user);
+        status.setComplete();
         return "redirect:" + user.getEntityId();
     }
 
@@ -110,6 +115,11 @@ public class UserController {
         return authorityService.getAllAuthorities();
     }
 
+    @ModelAttribute("loggedInUser")
+    public String populateLoggedInUsername() {
+        return userService.getAuthenticatedUser().getUsername();
+    }
+
     // setters for unit tests
     void setUserService(UserService userService) {
         this.userService = userService;
@@ -123,6 +133,11 @@ public class UserController {
         this.userProfileValidator = userProfileValidator;
     }
 
+    private String getRandomToken() {
+        return RandomStringUtils.randomAlphanumeric(256);
+    }
+
+
     /**
      * Mapping between the submitted form value and an {@link Authority}
      */

Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/controller/admin/WidgetController.java
Mon Oct 24 14:36:49 2011
@@ -30,12 +30,15 @@ import org.springframework.beans.factory
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.SessionAttributes;
+import org.springframework.web.bind.support.SessionStatus;
 
 import static org.apache.rave.portal.model.WidgetStatus.values;
 
@@ -43,7 +46,7 @@ import static org.apache.rave.portal.mod
  * Admin controller to manipulate Widget data
  */
 @Controller
-@SessionAttributes({"widget"})
+@SessionAttributes({ModelKeys.WIDGET, ModelKeys.TOKENCHECK})
 public class WidgetController {
 
     private static final String SELECTED_ITEM = "widgets";
@@ -54,6 +57,11 @@ public class WidgetController {
     @Autowired
     private NewWidgetValidator widgetValidator;
 
+    @InitBinder
+    public void initBinder(WebDataBinder dataBinder) {
+        dataBinder.setDisallowedFields("entityId");
+    }
+
     @RequestMapping(value = "/admin/widgets", method = RequestMethod.GET)
     public String viewWidgets(@RequestParam(required = false, defaultValue = "0") int offset,
Model model) {
         AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
@@ -67,16 +75,22 @@ public class WidgetController {
     public String viewWidgetDetail(@PathVariable("widgetid") Long widgetid, Model model)
{
         AdminControllerUtil.addNavigationMenusToModel(SELECTED_ITEM, model);
         model.addAttribute(widgetService.getWidget(widgetid));
+        model.addAttribute(ModelKeys.TOKENCHECK, AdminControllerUtil.generateSessionToken());
         return ViewNames.ADMIN_WIDGETDETAIL;
     }
 
     @RequestMapping(value = "/admin/widgetdetail/update", method = RequestMethod.POST)
-    public String updateWidgetDetail(@ModelAttribute("widget") Widget widget, BindingResult
result) {
+    public String updateWidgetDetail(@ModelAttribute(ModelKeys.WIDGET) Widget widget, BindingResult
result,
+                                     @ModelAttribute(ModelKeys.TOKENCHECK) String sessionToken,
+                                     @RequestParam() String token,
+                                     SessionStatus status) {
+        AdminControllerUtil.checkTokens(sessionToken, token, status);
         widgetValidator.validate(widget, result);
         if (result.hasErrors()) {
             return ViewNames.ADMIN_WIDGETDETAIL;
         }
         widgetService.updateWidget(widget);
+        status.setComplete();
         return "redirect:" + widget.getEntityId();
     }
 
@@ -85,9 +99,7 @@ public class WidgetController {
         return values();
     }
 
-
     // setters for unit tests
-    
     void setWidgetService(WidgetService widgetService) {
         this.widgetService = widgetService;
     }
@@ -95,4 +107,5 @@ public class WidgetController {
     void setWidgetValidator(NewWidgetValidator widgetValidator) {
         this.widgetValidator = widgetValidator;
     }
+
 }

Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/util/ModelKeys.java
Mon Oct 24 14:36:49 2011
@@ -36,4 +36,5 @@ public class ModelKeys {
     public static final String SEARCH_TERM = "searchTerm";
     public static final String OFFSET = "offset";
     public static final String SEARCHRESULT = "searchResult";
+    public static final String TOKENCHECK = "tokencheck";
 }
\ No newline at end of file

Added: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java?rev=1188156&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/AdminControllerUtilTest.java
Mon Oct 24 14:36:49 2011
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.web.controller.admin;
+
+import org.junit.Test;
+import org.springframework.web.bind.support.SessionStatus;
+
+import static junit.framework.Assert.assertTrue;
+import static org.easymock.EasyMock.createMock;
+
+/**
+ * Test for {@link AdminControllerUtil}
+ */
+public class AdminControllerUtilTest {
+
+    @Test
+    public void checkTokens_valid() throws Exception {
+        String token = AdminControllerUtil.generateSessionToken();
+        SessionStatus status = createMock(SessionStatus.class);
+        AdminControllerUtil.checkTokens(token, token, status);
+        assertTrue("No errors", true);
+    }
+
+    @Test(expected = SecurityException.class)
+    public void checkTokens_invalidLength() throws Exception {
+        String token = "token";
+        SessionStatus status = createMock(SessionStatus.class);
+        AdminControllerUtil.checkTokens(token, token, status);
+        assertTrue("Exception occurred", false);
+    }
+    
+    @Test(expected = SecurityException.class)
+    public void checkTokens_invalidNoMatch() throws Exception {
+        String token1 = AdminControllerUtil.generateSessionToken();
+        String token2 = AdminControllerUtil.generateSessionToken();
+        SessionStatus status = createMock(SessionStatus.class);
+        AdminControllerUtil.checkTokens(token1, token2, status);
+        assertTrue("Exception occurred", false);
+    }
+}

Modified: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/UserControllerTest.java
Mon Oct 24 14:36:49 2011
@@ -33,8 +33,8 @@ import org.springframework.ui.ExtendedMo
 import org.springframework.ui.Model;
 import org.springframework.validation.BeanPropertyBindingResult;
 import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.support.SessionStatus;
 
-import java.security.Principal;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -57,6 +57,7 @@ public class UserControllerTest {
     private UserController controller;
     private UserService userService;
     private AuthorityService authorityService;
+    private String validToken;
 
     @Test
     public void adminUsers() throws Exception {
@@ -99,25 +100,21 @@ public class UserControllerTest {
         Model model = new ExtendedModelMap();
         Long userid = 123L;
         User user = new User(userid, "john.doe.sr");
-        Principal principal = createMock(Principal.class);
 
-        expect(principal.getName()).andReturn("canonical");
         expect(userService.getUserById(userid)).andReturn(user);
-        replay(userService, principal);
+        replay(userService);
 
-        String adminUserDetailView = controller.viewUserDetail(userid, model, principal);
-        verify(userService, principal);
+        String adminUserDetailView = controller.viewUserDetail(userid, model);
+        verify(userService);
         
         assertEquals(ViewNames.ADMIN_USERDETAIL, adminUserDetailView);
         assertTrue(model.containsAttribute(TABS));
         assertEquals(user, model.asMap().get("user"));
-        assertEquals("canonical", model.asMap().get("loggedInUser"));
     }
 
 
     @Test
     public void updateUserDetail_success() {
-        Model model = new ExtendedModelMap();
         final Long userid = 123L;
         final String email = "john.doe.sr@example.net";
         User user = new User(userid, "john.doe.sr");
@@ -126,15 +123,16 @@ public class UserControllerTest {
         user.setEmail(email);
         final BindingResult errors = new BeanPropertyBindingResult(user, "user");
 
-        Principal principal = createMock(Principal.class);
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
 
         expect(userService.getUserByEmail(email)).andReturn(user);
         userService.updateUserProfile(user);
+        sessionStatus.setComplete();
         expectLastCall();
-        replay(userService);
+        replay(userService, sessionStatus);
 
-        final String view = controller.updateUserDetail(user, errors, model, principal);
-        verify(userService);
+        final String view = controller.updateUserDetail(user, errors, validToken, validToken,
sessionStatus);
+        verify(userService, sessionStatus);
 
         assertFalse(errors.hasErrors());
         assertEquals("redirect:" + userid, view);
@@ -142,21 +140,38 @@ public class UserControllerTest {
 
     @Test
     public void updateUserDetail_withErrors() {
-        Model model = new ExtendedModelMap();
         Long userid = 123L;
         User user = new User(userid, "john.doe.sr");
         final BindingResult errors = new BeanPropertyBindingResult(user, "user");
-        Principal principal = createMock(Principal.class);
 
-        expect(principal.getName()).andReturn("canonical");
-        replay(principal);
-        final String view = controller.updateUserDetail(user, errors, model, principal);
-        verify(principal);
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
+        replay(sessionStatus);
+        final String view = controller.updateUserDetail(user, errors, validToken, validToken,
sessionStatus);
+        verify(sessionStatus);
 
         assertTrue(errors.hasErrors());
         assertEquals(ViewNames.ADMIN_USERDETAIL, view);
     }
 
+    @Test(expected = SecurityException.class)
+    public void updateUserDetail_wrongToken() {
+        User user = new User(123L, "john.doe.sr");
+        final BindingResult errors = new BeanPropertyBindingResult(user, "user");
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
+        sessionStatus.setComplete();
+
+        expectLastCall();
+        replay(sessionStatus);
+
+        String otherToken = AdminControllerUtil.generateSessionToken();
+
+        controller.updateUserDetail(user, errors, validToken, otherToken, sessionStatus);
+        verify(sessionStatus);
+
+        assertFalse("SecurityException", true);
+
+    }
+
     @Test
     public void getAuthoritiesForModelMap() {
         final SearchResult<Authority> authorities = createSearchResultWithTwoAuthorities();
@@ -179,6 +194,7 @@ public class UserControllerTest {
 
         UserProfileValidator userProfileValidator = new UserProfileValidator(userService);
         controller.setUserProfileValidator(userProfileValidator);
+        validToken = AdminControllerUtil.generateSessionToken();
     }
 
 

Modified: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/controller/admin/WidgetControllerTest.java
Mon Oct 24 14:36:49 2011
@@ -31,6 +31,7 @@ import org.springframework.ui.ExtendedMo
 import org.springframework.ui.Model;
 import org.springframework.validation.BeanPropertyBindingResult;
 import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.support.SessionStatus;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -56,6 +57,7 @@ public class WidgetControllerTest {
     private WidgetController controller;
     private WidgetService service;
     private NewWidgetValidator validator;
+    private String validToken;
 
     @Test
     public void adminWidgets() throws Exception {
@@ -95,24 +97,45 @@ public class WidgetControllerTest {
         widget.setTitle("Widget title");
         widget.setType("OpenSocial");
         BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
 
         service.updateWidget(widget);
+        sessionStatus.setComplete();
         expectLastCall();
-        replay(service);
-        String view = controller.updateWidgetDetail(widget, errors);
-        verify(service);
+        replay(service, sessionStatus);
+        String view = controller.updateWidgetDetail(widget, errors, validToken, validToken,
sessionStatus);
+        verify(service, sessionStatus);
 
         assertFalse("No errors", errors.hasErrors());
         assertEquals("redirect:123", view);
 
     }
 
+    @Test(expected = SecurityException.class)
+    public void updateWidget_wrongToken() {
+        Widget widget = new Widget();
+        BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
+
+        sessionStatus.setComplete();
+        expectLastCall();
+        replay(sessionStatus);
+
+        String otherToken = AdminControllerUtil.generateSessionToken();
+
+        controller.updateWidgetDetail(widget, errors, "sessionToken", otherToken, sessionStatus);
+
+        verify(sessionStatus);
+        assertFalse("Can't come here", true);
+    }
+
     @Test
     public void updateWidget_invalid() {
         Widget widget = new Widget(123L, "http://broken/url");
         BindingResult errors = new BeanPropertyBindingResult(widget, "widget");
+        SessionStatus sessionStatus = createMock(SessionStatus.class);
 
-        String view = controller.updateWidgetDetail(widget, errors);
+        String view = controller.updateWidgetDetail(widget, errors, validToken, validToken,
sessionStatus);
 
         assertTrue("Errors", errors.hasErrors());
         assertEquals(ViewNames.ADMIN_WIDGETDETAIL, view);
@@ -126,6 +149,7 @@ public class WidgetControllerTest {
         controller.setWidgetService(service);
         validator = new NewWidgetValidator();
         controller.setWidgetValidator(validator);
+        validToken = AdminControllerUtil.generateSessionToken();
     }
 
 

Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
(original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/userdetail.jsp
Mon Oct 24 14:36:49 2011
@@ -50,6 +50,7 @@
                     <form:form id="updateUserProfile" action="update" commandName="user"
method="POST">
                         <form:errors cssClass="error" element="p"/>
                         <fieldset>
+                            <input type="hidden" name="token" value="<c:out value="${tokencheck}"/>"/>
                             <p>
                                 <label for="email"><fmt:message key="page.general.email"/></label>
                                 <spring:bind path="email">

Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp?rev=1188156&r1=1188155&r2=1188156&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp
(original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/views/admin/widgetdetail.jsp
Mon Oct 24 14:36:49 2011
@@ -64,6 +64,7 @@
                     <form:form id="updateWidget" action="update" commandName="widget"
method="POST">
                         <form:errors cssClass="error" element="p"/>
                         <fieldset>
+                            <input type="hidden" name="token" value="<c:out value="${tokencheck}"/>"/>
                             <p><fmt:message key="form.some.fields.required"/></p>
 
                             <p>



Mime
View raw message