[MRM-1480]/[REDBACK-274] (CVE-2011-1026)

o upgrade to redback 1.2.8-SNAPSHOT
o configured struts2's token interceptor + use of <s:token> in affected actions to prevent CSRF issue
[MRM-1460] added selenium tests for CSRF fixes in affected pages
Merged: r1066067:1091313

git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1091315 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/archiva-docs/src/site/apt/release-notes.apt b/archiva-docs/src/site/apt/release-notes.apt
index 03784f27417bc32f5cc56e88102b58fe52c624c7..e0fe6d5706e9412ddb142cc0a2ff808981f97c14 100644 (file)
--- a/archiva-docs/src/site/apt/release-notes.apt
+++ b/archiva-docs/src/site/apt/release-notes.apt
@@ -19,6 +19,26 @@ Release Notes for Archiva 1.4
 
 ~~TODO
 
+* Compatibility Changes
+
+  * If upgrading from versions of Archiva earlier than 1.2.2, the list of libraries
+    in <<<wrapper.conf>>> has changed. If you have customized your copy of
+    <<<wrapper.conf>>>, please update it for compatibility with the version distributed
+    with the current release.
+
+* Security Vulnerabilities
+
+    * A CSRF security vulnerability (CVE-2010-3449) is present in 1.3.2 and earlier.
+  
+    * An XSS security vulnerability (CVE-2011-0533) is present in 1.3.3 and earlier.
+
+    * Additional CSRF (CVE-2011-1026) and XSS security (CVE-2011-1077) vulnerabilities have been reported against 1.3.4
+      and earlier versions.
+
+  It is important that users using lower versions of Archiva upgrade to this version (or higher).
+
+  See {{{http://archiva.apache.org/security.html} Archiva Security}} for more details.
+
 * Release Notes
 
   The Archiva 1.4 feature set can be seen in the {{{tour/index.html} feature tour}}.
@@ -29,6 +49,16 @@ Release Notes for Archiva 1.4
 
   ~~TODO
 
+Previous Releases
+
+* Changes in Archiva 1.3.5
+
+  Released: <<14 March 2011>>
+
+** Task
+
+    * [MRM-1460] - Upgrade Archiva to Redback 1.2.7
+
 * Changes in Archiva 1.3.4
 
   Released: <<9 February 2011>>

diff --git a/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java b/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java
new file mode 100644 (file)
index 0000000..3883605
--- /dev/null
+++ b/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java
@@ -0,0 +1,149 @@
+package org.apache.archiva.web.test;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.apache.archiva.web.test.parent.AbstractArchivaTest;
+import org.testng.annotations.Test;
+
+/**
+ * Test all actions affected with CSRF security issue.
+ */
+@Test( groups = { "csrf" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
+public class CSRFSecurityTest
+    extends AbstractArchivaTest
+{
+    public void testCSRFDeleteRepository()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFDeleteArtifact()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFAddRepositoryGroup()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );    
+    }
+
+    public void testCSRFDeleteRepositoryGroup()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFDisableProxyConnector()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFDeleteProxyConnector()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFDeleteLegacyArtifactPath()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/deleteLegacyArtifactPath.action?path=jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );      
+    }
+
+    public void testCSRFSaveNetworkProxy()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&" +
+            "proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFDeleteNetworkProxy()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/deleteNetworkProxy!delete.action?proxyid=myproxy" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );    
+    }
+
+    public void testCSRFAddFileTypePattern()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/repositoryScanning!addFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFRemoveFileTypePattern()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/repositoryScanning!removeFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );    
+    }
+
+    public void testCSRFUpdateKnownConsumers()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&" +
+            "enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&" +
+            "enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&" +
+            "enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&" +
+            "enabledKnownContentConsumers=validate-checksums" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFUpdateUnprocessedConsumers()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/database!updateUnprocessedConsumers.action?enabledUnprocessedConsumers=update-db-project" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+    }
+
+    public void testCSRFUpdateCleanupConsumers()
+    {
+        getSelenium().open( baseUrl );
+        getSelenium().open( baseUrl + "/admin/database!updateCleanupConsumers.action?enabledCleanupConsumers=not-present-remove-db-artifact&" +
+            "enabledCleanupConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-present-remove-indexed" );
+        assertTextPresent( "Security Alert - Invalid Token Found" );
+        assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );    
+    }
+}

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
index 78e83d85876b50f259f04d3ff758b187b73073d2..f4a003cb45730ab4cf44836c87679c2daf426089 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
@@ -45,6 +45,9 @@
           <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
         <interceptor-ref name="redbackPolicyEnforcement"/>
+        <interceptor-ref name="tokenSession">
+          <param name="excludeMethods">*</param>
+        </interceptor-ref>
         <interceptor-ref name="configuration"/>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>
@@ -62,6 +65,9 @@
         <interceptor-ref name="redbackSecureActions">
           <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
+        <interceptor-ref name="tokenSession">
+          <param name="excludeMethods">*</param>
+        </interceptor-ref>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>
         </interceptor-ref>
@@ -128,7 +134,8 @@
            include a result for 'error' -->
       <result name="error">/WEB-INF/jsp/generalError.jsp</result>
       <result name="access_to_no_repos">/WEB-INF/jsp/accessToNoRepos.jsp</result>
-
+      <result name="invalid.token">/WEB-INF/jsp/redback/invalidToken.jsp</result>
+      
     </global-results>
   </package>
 
@@ -174,6 +181,9 @@
       <result name="input">/WEB-INF/jsp/deleteArtifact.jsp</result>
       <result name="error">/WEB-INF/jsp/deleteArtifact.jsp</result>
       <result name="success">/WEB-INF/jsp/deleteArtifact.jsp</result>
+      <interceptor-ref name="configuredArchivaStack">
+        <param name="tokenSession.includeMethods">doDelete</param>
+      </interceptor-ref>
     </action>
 
     <action name="checksumSearch" class="searchAction" method="findArtifact">
@@ -262,19 +272,25 @@
       <result name="input">/WEB-INF/jsp/admin/repositoryGroups.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/repositoryGroups.jsp</result>
       <result name="success" type="redirect-action">repositoryGroups</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="confirmDeleteRepositoryGroup" class="deleteRepositoryGroupAction" method="confirmDelete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="deleteRepositoryGroup" class="deleteRepositoryGroupAction" method="delete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
       <result name="success" type="redirect-action">repositoryGroups</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="addRepositoryToGroup" class="repositoryGroupsAction" method="addRepositoryToGroup">
@@ -334,14 +350,18 @@
 
     <action name="confirmDeleteRepository" class="deleteManagedRepositoryAction" method="confirmDelete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="deleteRepository" class="deleteManagedRepositoryAction" method="delete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
       <result name="success" type="redirect-action">repositories</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="addRemoteRepository" class="addRemoteRepositoryAction" method="input">
@@ -410,7 +430,9 @@
     <action name="deleteProxyConnector" class="deleteProxyConnectorAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/deleteProxyConnector.jsp</result>
       <result name="success" type="redirect-action">proxyConnectors</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="enableProxyConnector" class="enableProxyConnectorAction" method="confirm">
@@ -422,7 +444,9 @@
     <action name="disableProxyConnector" class="disableProxyConnectorAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/disableProxyConnector.jsp</result>
       <result name="success" type="redirect-action">proxyConnectors</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>  
+      </interceptor-ref>
     </action>
 
 
@@ -447,13 +471,17 @@
     <action name="saveNetworkProxy" class="configureNetworkProxyAction" method="save">
       <result name="input">/WEB-INF/jsp/admin/editNetworkProxy.jsp</result>
       <result name="success" type="redirect-action">networkProxies</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="deleteNetworkProxy" class="configureNetworkProxyAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/deleteNetworkProxy.jsp</result>
       <result name="success" type="redirect-action">networkProxies</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <!-- .\ REPOSITORY SCANNING \._____________________________________ -->
@@ -463,6 +491,9 @@
       <result name="success" type="redirect-action">
         <param name="actionName">repositoryScanning</param>
       </result>
+      <interceptor-ref name="configuredArchivaStack">
+        <param name="tokenSession.includeMethods">removeFiletypePattern,addFiletypePattern,updateKnownConsumers,updateInvalidConsumers</param>
+      </interceptor-ref>
     </action>
 
     <!-- .\ CONFIGURATION \.___________________________________________ -->
@@ -507,7 +538,9 @@
       <result name="input">/WEB-INF/jsp/admin/legacyArtifactPath.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/legacyArtifactPath.jsp</result>
       <result name="success" type="redirect-action">legacyArtifactPath</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
   </package>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
index cdd817d9d6fb87b1077fc687d13d80621ee372de..19156a36e96d939c7aa2f1b62f5df2658d098f5a 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
@@ -46,6 +46,7 @@
 
   <s:form method="post" action="deleteNetworkProxy!delete" namespace="/admin" validate="true">
     <s:hidden name="proxyid"/>
+    <s:token/>
     <s:submit value="Delete"/>
   </s:form>
 </div>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
index 3a12af02fada08cbb33331cc5b2a1806e9a3afb7..fb56d264e329a8604c7458146ecc3c61f74d4a90 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
@@ -47,6 +47,7 @@
   <s:form method="post" action="deleteProxyConnector!delete" namespace="/admin" validate="true">
     <s:hidden name="target"/>
     <s:hidden name="source"/>
+    <s:token/>
     <s:submit value="Delete"/>
   </s:form>
 </div>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
index 9c6b42db188e53c2979995a7a20a4022244afe7c..5f925e579e1a6ab3c9388f7a7836e64f5904d501 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
@@ -63,6 +63,7 @@
 
   <s:form method="post" action="deleteRepository" namespace="/admin" validate="true" theme="simple">
     <s:hidden name="repoid"/>
+    <s:token/>
     <div class="buttons">
       <s:submit value="Delete Configuration Only" method="deleteEntry" />
       <s:submit value="Delete Configuration and Contents" method="deleteContents" />

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
index 83d130f25e69520fba180310b99e45d0f2658684..69bbd0db42b7b62ab6efe0410fab4f6f19edded5 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
@@ -56,6 +56,7 @@
   <s:form method="post" action="deleteRepositoryGroup" namespace="/admin" validate="true" theme="simple">
     <s:hidden name="repoGroupId"/>
     <div class="buttons">
+      <s:token/>
       <s:submit value="Confirm" method="delete"/>
       <s:submit value="Cancel" method="execute"/>
     </div>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
index b496b4122369c72b086ebd63a5bc3ab997c0edba..52c69ba8cdbe1756bddb79b2d89f8a594f3b97a5 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
@@ -43,6 +43,7 @@
   <s:form method="post" action="disableProxyConnector!disable" namespace="/admin" validate="true">
     <s:hidden name="target"/>
     <s:hidden name="source"/>
+    <s:token/>
     <s:submit value="Disable"/>
   </s:form>
 </div>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
index 29f8ffef6477f77e0ae15d537d96f91c5bea3e0f..f7dd33ec07fd47e2cdc2c4a3002d28db777e7d2f 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
@@ -50,6 +50,7 @@
   
   <s:form method="post" action="saveNetworkProxy" namespace="/admin">
     <s:hidden name="mode"/>
+    <s:token/>
     
        <c:choose>
          <c:when test="${mode == 'edit'}">

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
index 0a0167c62379b957fecef8cf895cfe2307710478..2cb6bdcae79f99604dfa44aba691b293459bb198 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
@@ -73,8 +73,11 @@
 <div class="controls">\r
     <%-- TODO: make some icons --%>\r
   <redback:ifAnyAuthorized permissions="archiva-manage-configuration">\r
+    <s:token/>\r
     <s:url id="deleteLegacyArtifactPath" action="deleteLegacyArtifactPath">\r
       <s:param name="path" value="%{#attr.legacyArtifactPath.path}"/>\r
+      <s:param name="struts.token.name">struts.token</s:param>\r
+      <s:param name="struts.token"><s:property value="struts.token"/></s:param>\r
     </s:url>\r
     <s:a href="%{deleteLegacyArtifactPath}">\r
       <img src="<c:url value="/images/icons/delete.gif" />" alt="" width="16" height="16"/>\r

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
index 44eb18a049ce054cb75d83182fea95ff2f862ee8..33aec91c5d3288cca3989a1c74632be9de7a245f 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
@@ -71,11 +71,14 @@
       <div class="controls">
       <redback:ifAnyAuthorized
         permissions="archiva-manage-configuration">
+        <s:token/>
         <s:url id="editNetworkProxyUrl" action="editNetworkProxy">
           <s:param name="proxyid" value="%{#attr.proxy.id}" />
         </s:url>
         <s:url id="deleteNetworkProxyUrl" action="deleteNetworkProxy" method="confirm">
           <s:param name="proxyid" value="%{#attr.proxy.id}" />
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <s:a href="%{editNetworkProxyUrl}">
           <img src="<c:url value="/images/icons/edit.png" />" />

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
index 83a915c86941d44053cff0cb83fce6b7bb648e61..c42ba4f5457bcec455a6fb378b7f8947e0af2173 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
@@ -113,6 +113,7 @@
   <div class="connector ${rowColor}"> 
     <div class="controls">
       <redback:ifAnyAuthorized permissions="archiva-manage-configuration">
+        <s:token/>
         <s:url id="sortDownProxyConnectorUrl" action="sortDownProxyConnector">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
@@ -128,6 +129,8 @@
         <s:url id="deleteProxyConnectorUrl" action="deleteProxyConnector" method="confirmDelete">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <s:url id="enableProxyConnectorUrl" action="enableProxyConnector" method="confirmEnable">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
@@ -136,6 +139,8 @@
         <s:url id="disableProxyConnectorUrl" action="disableProxyConnector" method="confirmDisable">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <c:if test="${connector.disabled}">
             <s:a href="%{enableProxyConnectorUrl}" title="Enable Proxy Connector">

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
index 61341928e7440dda6fe1a03f27b8009147d42b21..312bcd9f0237344792a29547dfbedfdbec92eff5 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
@@ -89,8 +89,11 @@
     <s:url id="editRepositoryUrl" action="editRepository">
       <s:param name="repoid" value="%{#attr.repository.id}"/>
     </s:url>
+    <s:token/>
     <s:url id="deleteRepositoryUrl" action="confirmDeleteRepository">
       <s:param name="repoid" value="%{#attr.repository.id}"/>
+      <s:param name="struts.token.name">struts.token</s:param>
+      <s:param name="struts.token"><s:property value="struts.token"/></s:param>
     </s:url>
     <s:a href="%{editRepositoryUrl}">
       <img src="<c:url value="/images/icons/edit.png" />" alt="" width="16" height="16"/>
@@ -341,8 +344,11 @@
               <img src="<c:url value="/images/icons/edit.png" />" alt="" width="16" height="16"/>
               Edit
             </s:a>
+            <s:token/>
             <s:url id="deleteRepositoryUrl" action="confirmDeleteRemoteRepository">
               <s:param name="repoid" value="%{#attr.repository.id}"/>
+              <s:param name="struts.token.name">struts.token</s:param>
+              <s:param name="struts.token"><s:property value="struts.token"/></s:param>
             </s:url>
             <s:a href="%{deleteRepositoryUrl}">
               <img src="<c:url value="/images/icons/delete.gif" />" alt="" width="16" height="16"/>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
index 5804cbb953f013c1e5dafc36b49d75e7c7a999e3..ec7c8c2dda0c720a7795a63426c3337c2caa9bdb 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
@@ -50,6 +50,7 @@
     <s:form action="addRepositoryGroup" namespace="/admin">
       <span class="label">Identifier<span style="color:red">*</span>:</span> 
       <s:textfield size="10" label="Identifier" theme="simple" name="repositoryGroup.id"/>
+      <s:token/>
       <s:submit value="Add Group" theme="simple" cssClass="button"/>
     </s:form>
   </redback:ifAnyAuthorized>
@@ -71,8 +72,11 @@
   <div class="managedRepo">
     
     <div style="float:right">
+      <s:token/>
       <s:url id="deleteRepositoryGroupUrl" action="confirmDeleteRepositoryGroup">
         <s:param name="repoGroupId" value="%{#attr.repositoryGroup.key}" />
+        <s:param name="struts.token.name">struts.token</s:param>
+        <s:param name="struts.token"><s:property value="struts.token"/></s:param>
       </s:url>
       <s:a href="%{deleteRepositoryGroupUrl}" cssClass="delete">
         <img src="${iconDeleteUrl}"/>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
index 60b59c7f6de5f3ad4dc44c6e331e60bccebfd24b..ff768c6f6591e1535f5eaa9d7762ee8d5ff89f6b 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
@@ -40,9 +40,9 @@
 <s:actionmessage /> 
 
 <c:url var="iconDeleteUrl" value="/images/icons/delete.gif" /> 
-<c:url var="iconCreateUrl" value="/images/icons/create.png" /> 
-<s:url id="removeFiletypePatternUrl" action="repositoryScanning" method="removeFiletypePattern" /> 
-<s:url id="addFiletypePatternUrl"    action="repositoryScanning" method="addFiletypePattern" /> 
+<c:url var="iconCreateUrl" value="/images/icons/create.png" />
+<s:url id="removeFiletypePatternUrl" action="repositoryScanning" method="removeFiletypePattern"/>
+<s:url id="addFiletypePatternUrl" action="repositoryScanning" method="addFiletypePattern"/>
    
 <script type="text/javascript">
 <!--
@@ -82,12 +82,11 @@
     <s:form method="post" action="repositoryScanning" 
              namespace="/admin" validate="false" 
              id="filetypeForm" theme="simple">
+      <s:token/>
       <input type="hidden" name="pattern" />
       <input type="hidden" name="fileTypeId" />
     </s:form>
-
-    <s:url id="addFiletypePatternUrl" action="repositoryScanning" method="addFiletypePattern" />
-
+    
     <c:forEach items="${fileTypeIds}" var="filetypeId" varStatus="j">
 
       <div class="filetype">
@@ -115,7 +114,7 @@
             </td>
             <td class="controls ${bgcolor}">
               <s:a href="#" title="Remove [%{#attr.escapedPattern}] Pattern from [%{#attr.filetypeId}]"
-                    onclick="removeFiletypePattern( '%{#attr.filetypeId}', '%{#attr.escapedPattern}' )" 
+                    onclick="removeFiletypePattern( '%{#attr.filetypeId}', '%{#attr.escapedPattern}' )"
                     theme="simple">
                 <img src="${iconDeleteUrl}" />
               </s:a>
@@ -157,6 +156,7 @@
 
     <s:form method="post" action="repositoryScanning!updateKnownConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>
@@ -213,6 +213,7 @@
 
     <s:form method="post" action="repositoryScanning!updateInvalidConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>         
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
index af8993a0a3a374447bb5637b80266b67daad8635..d518a52d05075356c0996de22896fd9abd04dac8 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
@@ -36,6 +36,7 @@
   <div id="contentArea">
     <s:form action="deleteArtifact!doDelete" namespace="/" method="post" validate="true">    
       <%@ include file="/WEB-INF/jsp/include/deleteArtifactForm.jspf" %>
+      <s:token/>
       <s:submit/>
     </s:form>
   </div>

diff --git a/pom.xml b/pom.xml
index ad96807b54039021cd451e54ecfa33da75f7da5c..fe65fa013e71d97a22ca3a80fba1253f85da3668 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -539,7 +539,7 @@
       <dependency>
         <groupId>commons-codec</groupId>
         <artifactId>commons-codec</artifactId>
-        <version>1.3</version>
+        <version>1.4</version>
       </dependency>
       <dependency>
         <groupId>commons-collections</groupId>
@@ -1273,6 +1273,25 @@
         </plugins>
       </build>
     </profile>
+    <profile>
+      <id>snapshots-build</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <repositories>
+        <repository>
+          <id>redback.snapshots</id>
+          <name>Codehaus Redback Snapshots Repository</name>
+          <url>http://snapshots.repository.codehaus.org/</url>
+          <releases>
+            <enabled>false</enabled>
+          </releases>
+          <snapshots>
+            <enabled>true</enabled>
+          </snapshots>
+        </repository>
+      </repositories>
+    </profile>
   </profiles>
   <!-- TODO: we need to push this into the parent, and also upgrade to the latest ASF parent POM -->
   <distributionManagement>