[GitHub] brooklyn-server pull request #430: Use CSRF headers

[ahgittin]

GitHub user ahgittin opened a pull request:

    https://github.com/apache/brooklyn-server/pull/430

    Use CSRF headers

    Adds a filter which returns and requires special cookies/headers to protect 
against forged cross-site requests.  Extensive documentation in 
`CsrfTokenFilter`.  @neykov or @m4rkmckenna or @geomacy you might be best 
placed to check this.
    
    Also small tidy to logout process in 
https://github.com/apache/brooklyn-server/commit/e9aecbac1ccdebec1cb07f0f44c5c73f0137c64d
 -- would be useful if someone familiar with the thinking behind the existing 
process (switching to user) gives it a quick eyeball (probably @neykov or 
@bostko ?)

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ahgittin/brooklyn-server use-csrf-headers

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/brooklyn-server/pull/430.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #430
    
----
commit ce0db93d4feaf9ea11981862431d51090990e9c9
Author: Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Date:   2016-11-09T12:03:49Z

    REST API supports client requiring a CSRF header, and
    
    requesting such a header, and if required POST requests fail if it wasn't 
supplied

commit a7556473baaa23c2ca852e52a5996736fafd632f
Author: Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Date:   2016-11-13T02:45:58Z

    switch CSRF to use cookies for tokens
    
    now supports AngularJS semantics.
    also now it doesn't needlessly create sessions.

commit 0fdb9069c4f8938eb5ec182dfeb54be694839d57
Author: Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Date:   2016-11-13T13:33:48Z

    set session/cookie on some server requests so client gets it early
    
    helps establish csrf protection. done in /server/user and 
/server/up/extended,
    the two main places which an interactive app will hit early.

commit e9aecbac1ccdebec1cb07f0f44c5c73f0137c64d
Author: Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Date:   2016-11-13T13:34:12Z

    logout rest code tidy - behaves nicer if no user
    
    previously `curl /v1/logout` would throw 500 server error

commit e2a665d194de6818fcdca84986dbe6559895d825
Author: Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Date:   2016-11-13T13:34:59Z

    tidy - warnings / unused imports in rest

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---