tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1030547 - in /tomcat/tc6.0.x/trunk: ./ conf/ java/org/apache/catalina/filters/ java/org/apache/catalina/manager/ java/org/apache/catalina/manager/host/ webapps/docs/ webapps/docs/config/ webapps/host-manager/ webapps/host-manager/WEB-INF/ ...
Date Wed, 03 Nov 2010 17:17:59 GMT
Author: markt
Date: Wed Nov  3 17:17:59 2010
New Revision: 1030547

URL: http://svn.apache.org/viewvc?rev=1030547&view=rev
Log:
Add generic CSRF protection to Tomcat 6 and use it to protect the Manger & Host Manager applications

Added:
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java   (with props)
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java   (with props)
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java   (with props)
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties   (with props)
    tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml   (with props)
    tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp   (with props)
    tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp   (with props)
    tomcat/tc6.0.x/trunk/webapps/manager/403.jsp   (with props)
Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/conf/tomcat-users.xml
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/project.xml
    tomcat/tc6.0.x/trunk/webapps/docs/manager-howto.xml
    tomcat/tc6.0.x/trunk/webapps/host-manager/WEB-INF/web.xml
    tomcat/tc6.0.x/trunk/webapps/manager/401.jsp
    tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
    tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
    tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/web.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov  3 17:17:59 2010
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
 0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
 39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
 ,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,963868,964614,966177-966178,966292,966692,981815,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003481,1003488,1003556,1003572,1003581,1003861,1004868-1004869,1005452,1005467,1005647,1005802,1022120,1022134,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
 0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
 39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
 ,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,962865,962872,962881,962900,963865,963868,964614,966177-966178,966292,966692,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003481,1003488,1003556,1003572,1003581,1003861,1004868-1004869,1005452,1005467,1005647,1005802,1022120,1022134,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Nov  3 17:17:59 2010
@@ -89,20 +89,6 @@ PATCHES PROPOSED TO BACKPORT:
    cause confusion. I'd prefer not to invent a new name, but mention the
    one that we already have when documenting virtualClasspath.
 
-* Backport the CSRF prevention filter to Tomcat 6 and configure the Manager and
-  Host Manager applications to use it. The configuration is such that the using
-  the old roles (manager, admin) will work and will bypass the CSRF protection
-  but using the new roles (manager-gui, admin-gui etc.) will not bypass the CSRF
-  protection.
-  http://people.apache.org/~markt/patches/2010-06-26-crsf-prevention-filter-tc6.patch
-  http://svn.apache.org/viewvc?rev=962865&view=rev
-  http://svn.apache.org/viewvc?rev=962872&view=rev
-  http://svn.apache.org/viewvc?rev=962881&view=rev
-  http://svn.apache.org/viewvc?rev=962900&view=rev
-  http://svn.apache.org/viewvc?rev=988448&view=rev
-  +1: markt, mturk, kkolinko
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49217
   Ensure EL identifiers conform to the Java Language Specification with an
   option to disable this check.

Modified: tomcat/tc6.0.x/trunk/conf/tomcat-users.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/tomcat-users.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/conf/tomcat-users.xml (original)
+++ tomcat/tc6.0.x/trunk/conf/tomcat-users.xml Wed Nov  3 17:17:59 2010
@@ -17,8 +17,8 @@
 -->
 <tomcat-users>
 <!--
-  NOTE:  By default, no user is included in the "manager" role required
-  to operate the "/manager" web application.  If you wish to use this app,
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
   you must define such a user - the username and password are arbitrary.
 -->
 <!--

Added: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java Wed Nov  3 17:17:59 2010
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.filters;
+
+
+/**
+ * Constants for this Java package.
+ */
+
+public final class Constants {
+
+    public static final String Package = "org.apache.catalina.filters";
+
+    public static final String CSRF_NONCE_SESSION_ATTR_NAME =
+        "org.apache.catalina.filters.CSRF_NONCE";
+    
+    public static final String CSRF_NONCE_REQUEST_PARAM =
+        "org.apache.catalina.filters.CSRF_NONCE";
+    
+    public static final String METHOD_GET = "GET";
+}

Propchange: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/Constants.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Wed Nov  3 17:17:59 2010
@@ -0,0 +1,317 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Random;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * Provides basic CSRF protection for a web application. The filter assumes
+ * that:
+ * <ul>
+ * <li>The filter is mapped to /*</li>
+ * <li>{@link HttpServletResponse#encodeRedirectURL(String)} and
+ * {@link HttpServletResponse#encodeURL(String)} are used to encode all URLs
+ * returned to the client
+ * </ul>
+ */
+public class CsrfPreventionFilter extends FilterBase {
+
+    private static final Log log =
+        LogFactory.getLog(CsrfPreventionFilter.class);
+    
+    private String randomClass = SecureRandom.class.getName();
+    
+    private Random randomSource;
+
+    private final Set<String> entryPoints = new HashSet<String>();
+    
+    private int nonceCacheSize = 5;
+
+    @Override
+    protected Log getLogger() {
+        return log;
+    }
+
+    /**
+     * Entry points are URLs that will not be tested for the presence of a valid
+     * nonce. They are used to provide a way to navigate back to a protected
+     * application after navigating away from it. Entry points will be limited
+     * to HTTP GET requests and should not trigger any security sensitive
+     * actions.
+     * 
+     * @param entryPoints   Comma separated list of URLs to be configured as
+     *                      entry points.
+     */
+    public void setEntryPoints(String entryPoints) {
+        String values[] = entryPoints.split(",");
+        for (String value : values) {
+            this.entryPoints.add(value.trim());
+        }
+    }
+
+    /**
+     * Sets the number of previously issued nonces that will be cached on a LRU
+     * basis to support parallel requests, limited use of the refresh and back
+     * in the browser and similar behaviors that may result in the submission
+     * of a previous nonce rather than the current one. If not set, the default
+     * value of 5 will be used.
+     * 
+     * @param nonceCacheSize    The number of nonces to cache
+     */
+    public void setNonceCacheSize(int nonceCacheSize) {
+        this.nonceCacheSize = nonceCacheSize;
+    }
+    
+    /**
+     * Specify the class to use to generate the nonces. Must be in instance of
+     * {@link Random}.
+     * 
+     * @param randomClass   The name of the class to use
+     */
+    public void setRandomClass(String randomClass) {
+        this.randomClass = randomClass;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // Set the parameters
+        super.init(filterConfig);
+        
+        try {
+            Class<?> clazz = Class.forName(randomClass);
+            randomSource = (Random) clazz.newInstance();
+        } catch (ClassNotFoundException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (InstantiationException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (IllegalAccessException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        }
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+            FilterChain chain) throws IOException, ServletException {
+
+        ServletResponse wResponse = null;
+        
+        if (request instanceof HttpServletRequest &&
+                response instanceof HttpServletResponse) {
+            
+            HttpServletRequest req = (HttpServletRequest) request;
+            HttpServletResponse res = (HttpServletResponse) response;
+
+            boolean skipNonceCheck = false;
+            
+            if (Constants.METHOD_GET.equals(req.getMethod())) {
+                String path = req.getServletPath();
+                if (req.getPathInfo() != null) {
+                    path = path + req.getPathInfo();
+                }
+                
+                if (entryPoints.contains(path)) {
+                    skipNonceCheck = true;
+                }
+            }
+
+            @SuppressWarnings("unchecked")
+            LruCache<String> nonceCache =
+                (LruCache<String>) req.getSession(true).getAttribute(
+                    Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+            
+            if (!skipNonceCheck) {
+                String previousNonce =
+                    req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+
+                if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+                    res.sendError(HttpServletResponse.SC_FORBIDDEN);
+                    return;
+                }
+            }
+            
+            if (nonceCache == null) {
+                nonceCache = new LruCache<String>(nonceCacheSize);
+                req.getSession().setAttribute(
+                        Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
+            }
+            
+            String newNonce = generateNonce();
+            
+            nonceCache.add(newNonce);
+            
+            wResponse = new CsrfResponseWrapper(res, newNonce);
+        } else {
+            wResponse = response;
+        }
+        
+        chain.doFilter(request, wResponse);
+    }
+
+    /**
+     * Generate a once time token (nonce) for authenticating subsequent
+     * requests. This will also add the token to the session. The nonce
+     * generation is a simplified version of ManagerBase.generateSessionId().
+     * 
+     */
+    protected String generateNonce() {
+        byte random[] = new byte[16];
+
+        // Render the result as a String of hexadecimal digits
+        StringBuilder buffer = new StringBuilder();
+
+        randomSource.nextBytes(random);
+       
+        for (int j = 0; j < random.length; j++) {
+            byte b1 = (byte) ((random[j] & 0xf0) >> 4);
+            byte b2 = (byte) (random[j] & 0x0f);
+            if (b1 < 10)
+                buffer.append((char) ('0' + b1));
+            else
+                buffer.append((char) ('A' + (b1 - 10)));
+            if (b2 < 10)
+                buffer.append((char) ('0' + b2));
+            else
+                buffer.append((char) ('A' + (b2 - 10)));
+        }
+
+        return buffer.toString();
+    }
+
+    protected static class CsrfResponseWrapper
+            extends HttpServletResponseWrapper {
+
+        private String nonce;
+
+        public CsrfResponseWrapper(HttpServletResponse response, String nonce) {
+            super(response);
+            this.nonce = nonce;
+        }
+
+        @Override
+        @Deprecated
+        public String encodeRedirectUrl(String url) {
+            return encodeRedirectURL(url);
+        }
+
+        @Override
+        public String encodeRedirectURL(String url) {
+            return addNonce(super.encodeRedirectURL(url));
+        }
+
+        @Override
+        @Deprecated
+        public String encodeUrl(String url) {
+            return encodeURL(url);
+        }
+
+        @Override
+        public String encodeURL(String url) {
+            return addNonce(super.encodeURL(url));
+        }
+        
+        /**
+         * Return the specified URL with the nonce added to the query string. 
+         *
+         * @param url URL to be modified
+         * @param nonce The nonce to add
+         */
+        private String addNonce(String url) {
+
+            if ((url == null) || (nonce == null))
+                return (url);
+
+            String path = url;
+            String query = "";
+            String anchor = "";
+            int pound = path.indexOf('#');
+            if (pound >= 0) {
+                anchor = path.substring(pound);
+                path = path.substring(0, pound);
+            }
+            int question = path.indexOf('?');
+            if (question >= 0) {
+                query = path.substring(question);
+                path = path.substring(0, question);
+            }
+            StringBuilder sb = new StringBuilder(path);
+            if (query.length() >0) {
+                sb.append(query);
+                sb.append('&');
+            } else {
+                sb.append('?');
+            }
+            sb.append(Constants.CSRF_NONCE_REQUEST_PARAM);
+            sb.append('=');
+            sb.append(nonce);
+            sb.append(anchor);
+            return (sb.toString());
+        }
+    }
+    
+    private static class LruCache<T> {
+
+        // Although the internal implementation uses a Map, this cache
+        // implementation is only concerned with the keys.
+        private final Map<T,T> cache;
+        
+        public LruCache(final int cacheSize) {
+            cache = new LinkedHashMap<T,T>() {
+                private static final long serialVersionUID = 1L;
+                @Override
+                protected boolean removeEldestEntry(Map.Entry<T,T> eldest) {
+                    if (size() > cacheSize) {
+                        return true;
+                    }
+                    return false;
+                }
+            };
+        }
+        
+        public void add(T key) {
+            cache.put(key, null);
+        }
+        
+        public boolean contains(T key) {
+            return cache.containsKey(key);
+        }
+    }
+}

Propchange: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java Wed Nov  3 17:17:59 2010
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.util.Enumeration;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.juli.logging.Log;
+import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Base class for filters that provides generic initialisation and a simple
+ * no-op destruction. 
+ * 
+ * @author xxd
+ */
+public abstract class FilterBase implements Filter {
+    
+    protected static final StringManager sm =
+        StringManager.getManager(Constants.Package);
+
+    protected abstract Log getLogger();
+    
+    public void init(FilterConfig filterConfig) throws ServletException {
+        
+        @SuppressWarnings("unchecked") // Servlet 2.5 doesn't use generics
+        Enumeration paramNames = filterConfig.getInitParameterNames();
+        
+        while (paramNames.hasMoreElements()) {
+            String paramName = (String) paramNames.nextElement();
+            if (!IntrospectionUtils.setProperty(this, paramName,
+                    filterConfig.getInitParameter(paramName))) {
+                getLogger().warn(sm.getString("filterbase.noSuchProperty",
+                        paramName, this.getClass().getName()));
+            }
+        }    
+    }
+
+    public void destroy() {
+        // NOOP
+    }
+
+}

Propchange: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties Wed Nov  3 17:17:59 2010
@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}]
+filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}"
+
+http.403=Access to the specified resource ({0}) has been forbidden.

Propchange: tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/LocalStrings.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java Wed Nov  3 17:17:59 2010
@@ -1020,7 +1020,7 @@ public final class HTMLManagerServlet ex
         " <td class=\"row-left\" bgcolor=\"{6}\" rowspan=\"2\"><small>{2}</small></td>\n" +
         " <td class=\"row-center\" bgcolor=\"{6}\" rowspan=\"2\"><small>{3}</small></td>\n" +
         " <td class=\"row-center\" bgcolor=\"{6}\" rowspan=\"2\">" +
-        "<small><a href=\"{4}\" target=\"_blank\">{5}</a></small></td>\n";
+        "<small><a href=\"{4}\">{5}</a></small></td>\n";
 
     private static final String MANAGER_APP_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\">\n" +

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Wed Nov  3 17:17:59 2010
@@ -105,6 +105,13 @@ public final class HTMLHostManagerServle
     }
 
     
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException, ServletException {
+        doGet(request, response);
+    }
+    
+    
     /**
      * Add a host using the specified parameters.
      *
@@ -435,7 +442,7 @@ public final class HTMLHostManagerServle
         "</tr>\n" +
         "<tr>\n" +
         " <td colspan=\"2\">\n" +
-        "<form method=\"get\" action=\"{2}\">\n" +
+        "<form method=\"post\" action=\"{2}\">\n" +
         "<table cellspacing=\"0\" cellpadding=\"3\">\n" +
         "<tr>\n" +
         " <td class=\"row-right\">\n" +

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Nov  3 17:17:59 2010
@@ -153,6 +153,10 @@
         <bug>50138</bug>: Fix threading issues in
         <code>org.apache.catalina.security.SecurityUtil</code>. (markt)
       </fix>
+      <add>
+        Add a new filter to provide generic cross-site request forgery (CSRF)
+        protection for web applications. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">
@@ -255,6 +259,18 @@
         <bug>49585</bug>: Update JSVC documentation to reflect new packaging
         of Commons Daemon. (markt)
       </fix>
+      <add>
+        Configure the Manager web application to use the new CSRF protection. To
+        take advantge of this protection, the manager role must be removed from
+        all users and the new manager-gui and manager-script roles used instead.
+        (markt)
+      </add>
+      <add>
+        Configure the Host Manager web application to use the new CSRF
+        protection. To take advantge of this protection, the admin role must be
+        removed from all users and the new admin-gui and admin-script roles used
+        instead. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">

Added: tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml (added)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml Wed Nov  3 17:17:59 2010
@@ -0,0 +1,118 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!DOCTYPE document [
+  <!ENTITY project SYSTEM "project.xml">
+]>
+<document url="filter.html">
+
+  &project;
+
+  <properties>
+    <title>Container Provided Filters</title>
+  </properties>
+
+<body>
+
+<section name="Table of Contents">
+<toc/>
+</section>
+
+<section name="Introduction">
+
+  <p>Tomcat provides a number of <strong>Filters</strong> which may be
+  configured for use with all web applications using
+  <code>$CATALINA_BASE/conf/web.xml</code> or may be configured for individual
+  web applications by configuring them in the application's
+  <code>WEB-INF/web.xml</code>. Each filter is described below.</p>
+
+    <blockquote><em>
+    <p>This description uses the variable name $CATALINA_BASE to refer the
+    base directory against which most relative paths are resolved. If you have
+    not configured Tomcat for multiple instances by setting a CATALINA_BASE
+    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
+    the directory into which you have installed Tomcat.</p>
+    </em></blockquote>
+
+</section>
+
+
+<section name="CSRF Prevention Filter">
+
+  <subsection name="Introduction">
+
+    <p>This filter provides basic CSRF protection for a web application. The
+    filter assumes that it is mapped to <code>/*</code> and that all URLs
+    returned to the client are encoded via a call to
+    <code>HttpServletResponse#encodeRedirectURL(String)</code> or
+    <code>HttpServletResponse#encodeURL(String)</code>.</p>
+    
+    <p>This filter prevents CSRF by generating a nonce and storing it in the
+    session. URLs are also encoded with the same nonce. When the next request is
+    received the nonce in the request is compared to the nonce in the session
+    and only if they are the same is the request allowed to continue.</p>
+    
+  </subsection>
+
+  <subsection name="Filter Class Name">
+
+    <p>The filter class name for the CSRF Prevention Filter is
+    <strong><code>org.apache.catalina.filters.CsrfPreventionFilter</code>
+    </strong>.</p>
+
+  </subsection>
+
+  <subsection name="Initialisation parameters">
+
+    <p>The CSRF Prevention Filter supports the following initialisation
+    parameters:</p>
+
+    <attributes>
+
+      <attribute name="entryPoints" required="false">
+        <p>A comma separated list of URLs that will not be tested for the
+        presence of a valid nonce. They are used to provide a way to navigate
+        back to a protected application after having navigated away from it.
+        Entry points will be limited to HTTP GET requests and should not trigger
+        any security sensitive actions.</p>
+      </attribute>
+      
+      <attribute name="nonceCacheSize" required="false">
+        <p>The number of previously issued nonces that will be cached on a LRU
+        basis to support parallel requests, limited use of the refresh and back
+        in the browser and similar behaviors that may result in the submission
+        of a previous nonce rather than the current one. If not set, the default
+        value of 5 will be used.</p>
+      </attribute>
+      
+      <attribute name="randomClass" required="false">
+        <p>The name of the class to use to generate nonces. The class must be an
+        instance of <code>java.util.Random</code>. If not set, the default value
+        of <code>java.security.SecureRandom</code> will be used.</p>
+      </attribute>
+      
+    </attributes>
+    
+  </subsection>
+
+</section>
+
+
+</body>
+
+
+</document>

Propchange: tomcat/tc6.0.x/trunk/webapps/docs/config/filter.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/project.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/project.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/project.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/project.xml Wed Nov  3 17:17:59 2010
@@ -54,8 +54,9 @@
     </menu>
 
     <menu name="Nested Components">
-        <item name="Listeners"             href="listeners.html"/>
+        <item name="Filter"                href="filter.html"/>
         <item name="Global Resources"      href="globalresources.html"/>
+        <item name="Listeners"             href="listeners.html"/>
         <item name="Loader"                href="loader.html"/>
         <item name="Manager"               href="manager.html"/> 
         <item name="Realm"                 href="realm.html"/>

Modified: tomcat/tc6.0.x/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/manager-howto.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/manager-howto.xml Wed Nov  3 17:17:59 2010
@@ -73,7 +73,7 @@ Manager web application <code>Context</c
 example:</p>
 <pre>
 &lt;Context path="/manager" debug="0" privileged="true"
-         docBase="/usr/local/kinetic/tomcat6/server/webapps/manager"&gt;
+         docBase="/usr/local/tomcat6/webapps/manager"&gt;
 &lt;/Context&gt;
 </pre>
 
@@ -112,17 +112,29 @@ With Ant</a> for more information.</li>
 anyone on the Internet to execute the Manager application on your server.
 Therefore, the Manager application is shipped with the requirement that anyone
 who attempts to use it must authenticate themselves, using a username and
-password that have the role <strong>manager</strong> associated with them.
+password that have the appropriate role associated with them.
 Further, there is no username in the default users file
-(<code>$CATALINA_BASE/conf/tomcat-users.xml</code>) that is assigned this
-role.  Therefore, access to the Manager application is completely disabled
-by default.</p>
+(<code>$CATALINA_BASE/conf/tomcat-users.xml</code>) that is assigned an
+appropriate role.  Therefore, access to the Manager application is completely
+disabled by default.</p>
 
 <p>To enable access to the Manager web application, you must either create
-a new username/password combination and associate the role name
-<strong>manager</strong> with it, or add the <strong>manager</strong> role
-to some existing username/password combination.  Exactly where this is done
-depends on which <code>Realm</code> implementation you are using:</p>
+a new username/password combination and associate on of the manager roles with
+it, or add a manager role to some existing username/password combination. There
+are four roles defined by the manager application:</p>
+<ul>
+<li><em>manager-gui</em> - Allows access to the html interface</li>
+<li><em>manager-script</em> - Allows access to the plain text interface</li>
+<li><em>manager-jmx</em> - Allows access to the JMX proxy interface</li>
+<li><em>manager-status</em> - Allows access to the read-only status pages</li>
+</ul>
+<p>The manager application is configured to use the CSRF prevention filter. For
+this filter to be effective, any user assigned the <code>manager-gui</code> role
+must not be assigned the <code>manager-script</code> nor the
+<code>manager-jmx</code> roles.</p>
+
+<p>Exactly where roles are associated to users depends on which
+<code>Realm</code> implementation you are using:</p>
 <ul>
 <li><em>MemoryRealm</em> - If you have not customized your
     <code>$CATALINA_BASE/conf/server.xml</code> to select a different one,
@@ -132,22 +144,22 @@ depends on which <code>Realm</code> impl
     <code>&lt;user&gt;</code> for each individual user, which might
     look something like this:
 <source>
-&lt;user name="craigmcc" password="secret" roles="standard,manager" /&gt;
+&lt;user name="craigmcc" password="secret" roles="standard,manager-gui" /&gt;
 </source>
     which defines the username and password used by this individual to
     log on, and the role names he or she is associated with.  You can
-    add the <strong>manager</strong> role to the comma-delimited
+    add a role, e.g. <strong>manager-gui</strong>, to the comma-delimited
     <code>roles</code> attribute for one or more existing users, and/or
     create new users with that assigned role.</li>
 <li><em>JDBCRealm</em> - Your user and role information is stored in
-    a database accessed via JDBC.  Add the <strong>manager</strong> role
-    to one or more existing users, and/or create one or more new users
-    with this role assigned, following the standard procedures for your
+    a database accessed via JDBC.  Add the required role(s) to one or more
+    existing users, and/or create one or more new users with the required
+    role(s) assigned, following the standard procedures for your
     environment.</li>
 <li><em>JNDIRealm</em> - Your user and role information is stored in
-    a directory server accessed via LDAP.  Add the <strong>manager</strong>
-    role to one or more existing users, and/or create one or more new users
-    with this role assigned, following the standard procedures for your
+    a directory server accessed via LDAP.  Add the required role(s) to one or
+    more existing users, and/or create one or more new users with the required
+    role(s) assigned, following the standard procedures for your
     environment.</li>
 </ul>
 
@@ -155,7 +167,7 @@ depends on which <code>Realm</code> impl
 described in the next section, you will be challenged to log on using
 BASIC authentication.  The username and password you enter do not matter,
 as long as they identify a valid user in the users database who possesses
-the role <strong>manager</strong>.</p>
+the appropriate role.</p>
 
 <p>In addition to the password restrictions the manager web application
 could be restricted by the remote IP address or host by adding a
@@ -163,7 +175,7 @@ could be restricted by the remote IP add
 an example of restricting access to the localhost by IP address:</p>
 <pre>
 &lt;Context path="/manager" privileged="true"
-         docBase="/usr/local/kinetic/tomcat6/server/webapps/manager"&gt;
+         docBase="/usr/local/tomcat6/server/manager"&gt;
          &lt;Valve className="org.apache.catalina.valves.RemoteAddrValve"
                 allow="127\.0\.0\.1"/&gt;
 &lt;/Context&gt;
@@ -964,7 +976,7 @@ commands, you must perform the following
 <li>Add the <code>$ANT_HOME/bin</code> directory to your <code>PATH</code>
     environment variable.</li>
 <li>Configure at least one username/password combination in your Tomcat
-    user database that includes the <code>manager</code> role.</li>
+    user database that includes the <code>manager-script</code> role.</li>
 </ul>
 
 <p>To use custom tasks within Ant, you must declare them first with a

Added: tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp (added)
+++ tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp Wed Nov  3 17:17:59 2010
@@ -0,0 +1,75 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%
+  response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Host Manager Application\"");
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>401 Unauthorized</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>401 Unauthorized</h1>
+   <p>
+    You are not authorized to view this page. If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>admin-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="admin-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 6.0.30 onwards, the roles required to use the host
+    manager application were changed from the single <tt>admin</tt> role to the
+    following two roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-script</tt> - allows access to the text interface</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>The deprecated <tt>admin</tt> role should not be assigned to any
+        user.</li>
+    <li>Users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>If the text interface is accessed through a browser (e.g. for testing
+        since this interface is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
+ </body>
+
+</html>

Propchange: tomcat/tc6.0.x/trunk/webapps/host-manager/401.jsp
------------------------------------------------------------------------------
    svn:eol-style = native

Added: tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp (added)
+++ tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp Wed Nov  3 17:17:59 2010
@@ -0,0 +1,90 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%
+  response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Host Manager Application\"");
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>403 Access Denied</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>403 Access Denied</h1>
+   <p>
+    You are not authorized to view this page.
+   </p>
+   <p>
+    If you have already configured the Host Manager application to allow access
+    and you have used your browser's back button, used a saved book-mark or
+    similar then you may have triggered the cross-site request forgery (CSRF)
+    protection that has been enabled for the HTML interface of the Host Manager
+    application. You will need to reset this protection by returning to the 
+    <a href="<%=request.getContextPath()%>/html">main Host Manager page</a>.
+    Once you return to this page, you will be able to continue using the Host
+    Manager appliction's HTML interface normally. If you continue to see this
+    access denied message, check that you have the necessary permissions to
+    access this application.
+   </p>
+   <p> If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>admin-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="admin-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 6.0.30 onwards, the roles required to use the host
+    manager application were changed from the single <tt>admin</tt> role to the
+    following two roles. You will need to assign the role(s) required for
+    the functionality you wish to access. Note the <tt>admin</tt> role is still
+    valid but by-passes the CSRF protection.
+   </p>
+    <ul>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-script</tt> - allows access to the text interface</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>The deprecated <tt>admin</tt> role should not be assigned to any
+        user.</li>
+    <li>Users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>If the text interface is accessed through a browser (e.g. for testing
+        since this interface is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
+ </body>
+
+</html>

Propchange: tomcat/tc6.0.x/trunk/webapps/host-manager/403.jsp
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc6.0.x/trunk/webapps/host-manager/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/host-manager/WEB-INF/web.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/host-manager/WEB-INF/web.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/host-manager/WEB-INF/web.xml Wed Nov  3 17:17:59 2010
@@ -27,12 +27,6 @@
 	Manager lets you view, load/unload/etc particular web applications.
   </description>
 
-  <!-- Define the Manager Servlet
-       Change servlet-class to: org.apache.catalina.servlets.HTMLManagerServlet
-       to get a Servlet with a more intuitive HTML interface, don't change if you
-       have software that is expected to parse the output from ManagerServlet
-       since they're not compatible.
-   -->
   <servlet>
     <servlet-name>HostManager</servlet-name>
     <servlet-class>org.apache.catalina.manager.host.HostManagerServlet</servlet-class>
@@ -76,11 +70,24 @@
     <url-pattern>/html/*</url-pattern>
   </servlet-mapping>
 
+  <filter>
+    <filter-name>CSRF</filter-name>
+    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
+    <init-param>
+      <param-name>entryPoints</param-name>
+      <param-value>/html,/html/list</param-value>
+    </init-param>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>CSRF</filter-name>
+    <servlet-name>HTMLHostManager</servlet-name>
+  </filter-mapping>
+
   <!-- Define a Security Constraint on this Application -->
   <security-constraint>
     <web-resource-collection>
-      <web-resource-name>HTMLHostManager and HostManager commands</web-resource-name>
-      <url-pattern>/html/*</url-pattern>
+      <web-resource-name>HostManager commands</web-resource-name>
       <url-pattern>/list</url-pattern>
       <url-pattern>/add</url-pattern>
       <url-pattern>/remove</url-pattern>
@@ -88,8 +95,33 @@
       <url-pattern>/stop</url-pattern>
     </web-resource-collection>
     <auth-constraint>
-       <!-- NOTE:  This role is not present in the default users file -->
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The admin role is deprecated, it will be removed in
+                     Tomcat 7.
+                  3. Use the admin-script role to take advantage of the new
+                     CSRF protection. Using the admin role or assigning both
+                     the admin-script and admin-gui roles to the same user
+                     will bypass the CSRF protection. -->
        <role-name>admin</role-name>
+       <role-name>admin-script</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>HTMLHostManager commands</web-resource-name>
+      <url-pattern>/html/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The admin role is deprecated, it will be removed in
+                     Tomcat 7.
+                  3. Use the admin-gui role to take advantage of the new
+                     CSRF protection. Using the admin role or assigning both
+                     the admin-script and admin-gui roles to the same user
+                     will bypass the CSRF protection. -->
+       <role-name>admin</role-name>
+       <role-name>admin-gui</role-name>
     </auth-constraint>
   </security-constraint>
 
@@ -102,7 +134,19 @@
   <!-- Security roles referenced by this web application -->
   <security-role>
     <description>
-      The role that is required to log in to the Manager Application
+      The role that is required to access the text Host Manager pages
+    </description>
+    <role-name>admin-script</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      The role that is required to access the HTML Host Manager pages
+    </description>
+    <role-name>admin-gui</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      Deprecated role that can access all Host Manager functionality
     </description>
     <role-name>admin</role-name>
   </security-role>

Modified: tomcat/tc6.0.x/trunk/webapps/manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/401.jsp?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/401.jsp (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/401.jsp Wed Nov  3 17:17:59 2010
@@ -1,4 +1,4 @@
-<!--
+<%--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
@@ -13,14 +13,15 @@
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--->
+--%>
 <%
   response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
 %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
  <head>
   <title>401 Unauthorized</title>
-  <style>
+  <style type="text/css">
     <!--
     BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
     H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
@@ -35,20 +36,49 @@
     You are not authorized to view this page. If you have not changed
     any configuration files, please examine the file
     <tt>conf/tomcat-users.xml</tt> in your installation. That
-    file will contain the credentials to let you use this webapp.
+    file must contain the credentials to let you use this webapp.
    </p>
    <p>
-    You will need to add <tt>manager</tt> role to the config file listed above.
-    For example:
+    For example, to add the <tt>manager-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
 <pre>
-&lt;role rolename="manager"/&gt;
-&lt;user username="tomcat" password="s3cret" roles="manager"/&gt;
+&lt;role rolename="manager-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
 </pre>
+   <p>
+    Note that for Tomcat 6.0.30 onwards, the roles required to use the manager
+    application were changed from the single <tt>manager</tt> role to the
+    following four roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
+          pages</li>
+      <li><tt>manager-script</tt> - allows access to the text interface and the
+          status pages</li>
+      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
+          pages</li>
+      <li><tt>manager-status</tt> - allows access to the status pages only</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
    </p>
+   <ul>
+    <li>The deprecated <tt>manager</tt> role should not be assigned to any
+        user.</li>
+    <li>Users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>If the text or jmx interfaces are accessed through a browser (e.g. for
+        testing since these interfaces are intended for tools not humans) then
+        the browser must be closed afterwards to terminate the session.</li>
+   </ul>
    <p>
     For more information - please see the
     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
    </p>
  </body>
 
-</html>
+</html>
\ No newline at end of file

Added: tomcat/tc6.0.x/trunk/webapps/manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/403.jsp?rev=1030547&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/403.jsp (added)
+++ tomcat/tc6.0.x/trunk/webapps/manager/403.jsp Wed Nov  3 17:17:59 2010
@@ -0,0 +1,98 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%
+  response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>403 Access Denied</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>403 Access Denied</h1>
+   <p>
+    You are not authorized to view this page.
+   </p>
+   <p>
+    If you have already configured the Manager application to allow access and
+    you have used your browser's back button, used a saved book-mark or similar
+    then you may have triggered the cross-site request forgery (CSRF) protection
+    that has been enabled for the HTML interface of the Manager application. You
+    will need to reset this protection by returning to the 
+    <a href="<%=request.getContextPath()%>/html">main Manager page</a>. Once you
+    return to this page, you will be able to continue using the Manager
+    appliction's HTML interface normally. If you continue to see this access
+    denied message, check that you have the necessary permissions to access this
+    application.
+   </p>
+   <p>
+    If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>manager-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="manager-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 6.0.30 onwards, the roles required to use the manager
+    application were changed from the single <tt>manager</tt> role to add the
+    following four roles. (The manager role is still available but should not be
+    used as it avoids the CSRF protection). You will need to assign the role(s)
+    required for the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
+          pages</li>
+      <li><tt>manager-script</tt> - allows access to the text interface and the
+          status pages</li>
+      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
+          pages</li>
+      <li><tt>manager-status</tt> - allows access to the status pages only</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+         testing since these interfaces are intended for tools not humans) then
+         the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
+    For more information - please see the
+    <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
+   </p>
+ </body>
+
+</html>

Propchange: tomcat/tc6.0.x/trunk/webapps/manager/403.jsp
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp Wed Nov  3 17:17:59 2010
@@ -31,18 +31,19 @@
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
    String currentSessionId = currentSession.getId();
-   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+   String submitUrl = response.encodeURL(((HttpServletRequest)
+           pageContext.getRequest()).getRequestURL().toString());
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
-	<meta http-equiv="pragma" content="no-cache"/><!-- HTTP 1.0 -->
-	<meta http-equiv="cache-control" content="no-cache,must-revalidate"/><!-- HTTP 1.1 -->
-	<meta http-equiv="expires" content="0"/><!-- 0 is an invalid value and should be treated as 'now' -->
-	<meta http-equiv="content-language" content="en"/>
-	<meta name="author" content="Cedrik LIME"/>
-	<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
-	<meta name="robots" content="noindex,nofollow,noarchive"/>
-	<title>Sessions Administration: details for <%= currentSessionId %></title>
+    <meta http-equiv="pragma" content="no-cache"/><!-- HTTP 1.0 -->
+    <meta http-equiv="cache-control" content="no-cache,must-revalidate"/><!-- HTTP 1.1 -->
+    <meta http-equiv="expires" content="0"/><!-- 0 is an invalid value and should be treated as 'now' -->
+    <meta http-equiv="content-language" content="en"/>
+    <meta name="author" content="Cedrik LIME"/>
+    <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
+    <meta name="robots" content="noindex,nofollow,noarchive"/>
+    <title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
 <h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
@@ -86,7 +87,14 @@
   </tr>
 </table>
 
-<p style="text-align: center;"><button type="button" onclick="window.location.reload()">Refresh</button></p>
+<form method="post" action="<%= submitUrl %>">
+  <div>
+    <input type="hidden" name="path" value="<%= path %>" />
+    <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
+    <input type="hidden" name="action" value="sessionDetail" />
+    <input type="submit" value="Refresh" />
+  </div>
+</form>
 
 <div class="error"><%= JspHelper.escapeXml(request.getAttribute("error")) %></div>
 <div class="message"><%= JspHelper.escapeXml(request.getAttribute("message")) %></div>
@@ -95,52 +103,67 @@
 <% int nAttributes = 0;
    Enumeration attributeNamesEnumeration = currentHttpSession.getAttributeNames();
    while (attributeNamesEnumeration.hasMoreElements()) {
-	   attributeNamesEnumeration.nextElement();
-	   ++nAttributes;
+       attributeNamesEnumeration.nextElement();
+       ++nAttributes;
    }
 %>
-	<caption style="font-variant: small-caps;"><%= JspHelper.formatNumber(nAttributes) %> attributes</caption>
-	<thead>
-		<tr>
-			<th>Remove Attribute</th>
-			<th>Attribute name</th>
-			<th>Attribute value</th>
-		</tr>
-	</thead>
-	<%--tfoot>
-		<tr>
-			<td colspan="3" style="text-align: center;">
-				TODO: set Max Inactive Interval on sessions
-			</td>
-		</tr>
-	</tfoot--%>
-	<tbody>
+    <caption style="font-variant: small-caps;"><%= JspHelper.formatNumber(nAttributes) %> attributes</caption>
+    <thead>
+        <tr>
+            <th>Remove Attribute</th>
+            <th>Attribute name</th>
+            <th>Attribute value</th>
+        </tr>
+    </thead>
+    <%--tfoot>
+        <tr>
+            <td colspan="3" style="text-align: center;">
+                TODO: set Max Inactive Interval on sessions
+            </td>
+        </tr>
+    </tfoot--%>
+    <tbody>
 <% attributeNamesEnumeration = currentHttpSession.getAttributeNames();
    while (attributeNamesEnumeration.hasMoreElements()) {
-   	String attributeName = (String) attributeNamesEnumeration.nextElement();
+       String attributeName = (String) attributeNamesEnumeration.nextElement();
 %>
-		<tr>
-			<td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td>
-			<td><%= JspHelper.escapeXml(attributeName) %></td>
-			<td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
-		</tr>
+        <tr>
+            <td align="center">
+                <form method="post" action="<%= submitUrl %>">
+                    <div>
+                        <input type="hidden" name="path" value="<%= path %>" />
+                        <input type="hidden" name="action" value="removeSessionAttribute" />
+                        <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
+                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="submit" value="Remove" />
+                    </div>
+                </form>
+            </td>
+            <td><%= JspHelper.escapeXml(attributeName) %></td>
+            <td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %><span title="<%= attributeValue == null ? "" : attributeValue.getClass().toString() %>"><%= JspHelper.escapeXml(attributeValue) %></span></td>
+        </tr>
 <% } // end while %>
-	</tbody>
+    </tbody>
 </table>
 
-<p style="text-align: center;"><button type="button" onclick="window.close()">Close window</button></p>
+<form method="post" action="<%=submitUrl%>">
+  <p style="text-align: center;">
+    <input type="hidden" name="path" value="<%= path %>" />
+    <input type="submit" value="Return to session list" />
+  </p>
+</form>
 
 <%--div style="display: none;">
 <p>
-	<a href="http://validator.w3.org/check?uri=referer"><img
-		src="http://www.w3.org/Icons/valid-html401"
-		alt="Valid HTML 4.01!" height="31" width="88"></a>
-	<a href="http://validator.w3.org/check?uri=referer"><img
-		src="http://www.w3.org/Icons/valid-xhtml10"
-		alt="Valid XHTML 1.0!" height="31" width="88" /></a>
-	<a href="http://validator.w3.org/check?uri=referer"><img
-		src="http://www.w3.org/Icons/valid-xhtml11"
-		alt="Valid XHTML 1.1!" height="31" width="88" /></a>
+    <a href="http://validator.w3.org/check?uri=referer"><img
+        src="http://www.w3.org/Icons/valid-html401"
+        alt="Valid HTML 4.01!" height="31" width="88"></a>
+    <a href="http://validator.w3.org/check?uri=referer"><img
+        src="http://www.w3.org/Icons/valid-xhtml10"
+        alt="Valid XHTML 1.0!" height="31" width="88" /></a>
+    <a href="http://validator.w3.org/check?uri=referer"><img
+        src="http://www.w3.org/Icons/valid-xhtml11"
+        alt="Valid XHTML 1.1!" height="31" width="88" /></a>
 </p>
 </div--%>
 

Modified: tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp Wed Nov  3 17:17:59 2010
@@ -26,7 +26,8 @@
 
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <% String path = (String) request.getAttribute("path");
-   String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path;
+   String submitUrl = response.encodeURL(((HttpServletRequest)
+           pageContext.getRequest()).getRequestURI() + "?path=" + path);
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -99,7 +100,7 @@
 %>
 				<tr>
 					<td>
-<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a>
+<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
 					</td>
 					<td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
 					<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
@@ -118,7 +119,11 @@
 	</fieldset>
 </form>
 
-<p style="text-align: center;"><button type="button" onclick="window.close()">Close window</button></p>
+<form method="get" action="<%=request.getContextPath()%>/html">
+  <p style="text-align: center;">
+    <input type="submit" value="Return to main page" />
+  </p>
+</form>
 
 <%--div style="display: none;">
 <p>

Modified: tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/web.xml?rev=1030547&r1=1030546&r2=1030547&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/web.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/web.xml Wed Nov  3 17:17:59 2010
@@ -27,12 +27,6 @@
     Manager lets you view, load/unload/etc particular web applications.
   </description>
 
-  <!-- Define the Manager Servlet
-       Change servlet-class to: org.apache.catalina.servlets.HTMLManagerServlet
-       to get a Servlet with a more intuitive HTML interface, don't change if you
-       have software that is expected to parse the output from ManagerServlet
-       since they're not compatible.
-   -->
   <servlet>
     <servlet-name>Manager</servlet-name>
     <servlet-class>org.apache.catalina.manager.ManagerServlet</servlet-class>
@@ -137,6 +131,20 @@
     <url-pattern>/html/*</url-pattern>
   </servlet-mapping>
 
+  <filter>
+    <filter-name>CSRF</filter-name>
+    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
+    <init-param>
+      <param-name>entryPoints</param-name>
+      <param-value>/html,/html/,/html/list</param-value>
+    </init-param>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>CSRF</filter-name>
+    <servlet-name>HTMLManager</servlet-name>
+  </filter-mapping>
+
   <!-- Define reference to the user database for looking up roles -->
   <resource-env-ref>
     <description>
@@ -154,9 +162,7 @@
   <!-- Define a Security Constraint on this Application -->
   <security-constraint>
     <web-resource-collection>
-      <web-resource-name>HTMLManager and Manager command</web-resource-name>
-      <url-pattern>/jmxproxy/*</url-pattern>
-      <url-pattern>/html/*</url-pattern>
+      <web-resource-name>Manager commands</web-resource-name>
       <url-pattern>/list</url-pattern>
       <url-pattern>/expire</url-pattern>
       <url-pattern>/sessions</url-pattern>
@@ -169,17 +175,77 @@
       <url-pattern>/reload</url-pattern>
       <url-pattern>/save</url-pattern>
       <url-pattern>/serverinfo</url-pattern>
-      <url-pattern>/status/*</url-pattern>
       <url-pattern>/roles</url-pattern>
       <url-pattern>/resources</url-pattern>
       <url-pattern>/findleaks</url-pattern>
     </web-resource-collection>
     <auth-constraint>
-       <!-- NOTE:  This role is not present in the default users file -->
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The manager role is deprecated, it will be removed in
+                     Tomcat 7.
+                  3. Use the manager-script role to take advantage of the new
+                     CSRF protection. Using the manager role or assigning both
+                     the manager-script and manager-gui roles to the same user
+                     will bypass the CSRF protection. -->
+       <role-name>manager-script</role-name>
+       <role-name>manager</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>HTML Manager commands</web-resource-name>
+      <url-pattern>/html/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The manager role is deprecated, it will be removed in
+                     Tomcat 7.
+                  3. Use just the manager-gui role to take advantage of the new
+                     CSRF protection. Assigning the manager role or manager-gui
+                     role along with either the manager-script or manager-jmx
+                     roles to the same user will bypass the CSRF protection. -->
+       <role-name>manager-gui</role-name>
+       <role-name>manager</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>JMX proxy</web-resource-name>
+      <url-pattern>/jmxproxy/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The manager role is deprecated, it will be removed in
+                     Tomcat 7.
+                  3. Use the manager-jmx role to take advantage of the new
+                     CSRF protection. Using the manager role or assigning both
+                     the manager-jmx and manager-gui roles to the same user
+                     will bypass the CSRF protection. -->
+       <role-name>manager-jmx</role-name>
+       <role-name>manager</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Status</web-resource-name>
+      <url-pattern>/status/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+       <!-- NOTE: 1. These roles are not present in the default users file
+                  2. The manager role is deprecated, it will be removed in
+                     Tomcat 7. -->
+       <role-name>manager-status</role-name>
+       <role-name>manager-gui</role-name>
+       <role-name>manager-script</role-name>
+       <role-name>manager-jmx</role-name>
        <role-name>manager</role-name>
     </auth-constraint>
   </security-constraint>
 
+
   <!-- Define the Login Configuration for this Application -->
   <login-config>
     <auth-method>BASIC</auth-method>
@@ -189,7 +255,31 @@
   <!-- Security roles referenced by this web application -->
   <security-role>
     <description>
-      The role that is required to log in to the Manager Application
+      The role that is required to access the HTML Manager pages
+    </description>
+    <role-name>manager-gui</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      The role that is required to access the text Manager pages
+    </description>
+    <role-name>manager-script</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      The role that is required to access the HTML JMX Proxy
+    </description>
+    <role-name>manager-jmx</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      The role that is required to access to the Manager Status pages 
+    </description>
+    <role-name>manager-status</role-name>
+  </security-role>
+  <security-role>
+    <description>
+      Deprecated role that can access all Manager functionality
     </description>
     <role-name>manager</role-name>
   </security-role>
@@ -198,5 +288,9 @@
     <error-code>401</error-code>
     <location>/401.jsp</location>
   </error-page>
+  <error-page>
+    <error-code>403</error-code>
+    <location>/403.jsp</location>
+  </error-page>
 
 </web-app>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message