From: Maria Odea B. Ching <oching@apache.org>
Date: Thu, 7 Apr 2011 12:01:59 +0000 (+0000)
Subject: [MRM-1480]/[REDBACK-274] (CVE-2011-1026)
X-Git-Tag: archiva-1.3.5^2~15
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=622d4ecd46de0e48a8233542a89892eedbeefec4;p=archiva.git

[MRM-1480]/[REDBACK-274] (CVE-2011-1026)
o upgrade to redback 1.2.8-SNAPSHOT
o configured struts2's token interceptor + use of <s:token> in affected actions to prevent CSRF issue


git-svn-id: https://svn.apache.org/repos/asf/archiva/branches/archiva-1.3.x@1089839 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/archiva-modules/archiva-web/archiva-webapp-test/pom.xml b/archiva-modules/archiva-web/archiva-webapp-test/pom.xml
index bf5b98a5b..037b7ae39 100644
--- a/archiva-modules/archiva-web/archiva-webapp-test/pom.xml
+++ b/archiva-modules/archiva-web/archiva-webapp-test/pom.xml
@@ -23,7 +23,7 @@
   <parent>
     <groupId>org.apache.archiva</groupId>
     <artifactId>archiva-web</artifactId>
-    <version>1.3.5-SNAPSHOT</version>
+    <version>1.3.6-SNAPSHOT</version>
   </parent>
   <artifactId>archiva-webapp-test</artifactId>
   <packaging>pom</packaging>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
index fb2db2159..58ac529aa 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
@@ -47,6 +47,9 @@
           <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
         <interceptor-ref name="redbackPolicyEnforcement"/>
+        <interceptor-ref name="tokenSession">
+          <param name="excludeMethods">*</param>
+        </interceptor-ref>
         <interceptor-ref name="configuration"/>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>
@@ -65,6 +68,9 @@
         <interceptor-ref name="redbackSecureActions">
           <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
+        <interceptor-ref name="tokenSession">
+          <param name="excludeMethods">*</param>
+        </interceptor-ref>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>
         </interceptor-ref>
@@ -133,6 +139,7 @@
            include a result for 'error' -->
       <result name="error">/WEB-INF/jsp/generalError.jsp</result>
       <result name="access_to_no_repos">/WEB-INF/jsp/accessToNoRepos.jsp</result>
+      <result name="invalid.token">/WEB-INF/jsp/redback/invalidToken.jsp</result>
       
     </global-results>
   </package>
@@ -179,6 +186,9 @@
       <result name="input">/WEB-INF/jsp/deleteArtifact.jsp</result>
       <result name="error">/WEB-INF/jsp/deleteArtifact.jsp</result>
       <result name="success">/WEB-INF/jsp/deleteArtifact.jsp</result>
+      <interceptor-ref name="configuredArchivaStack">
+        <param name="tokenSession.includeMethods">doDelete</param>
+      </interceptor-ref>
     </action>
 
     <action name="checksumSearch" class="searchAction" method="findArtifact">
@@ -253,19 +263,25 @@
       <result name="input">/WEB-INF/jsp/admin/repositoryGroups.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/repositoryGroups.jsp</result>
       <result name="success" type="redirect-action">repositoryGroups</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
     
     <action name="confirmDeleteRepositoryGroup" class="deleteRepositoryGroupAction" method="confirmDelete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
     
     <action name="deleteRepositoryGroup" class="deleteRepositoryGroupAction" method="delete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp</result>
       <result name="success" type="redirect-action">repositoryGroups</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 	
     <action name="addRepositoryToGroup" class="repositoryGroupsAction" method="addRepositoryToGroup">
@@ -325,14 +341,18 @@
 
     <action name="confirmDeleteRepository" class="deleteManagedRepositoryAction" method="confirmDelete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="deleteRepository" class="deleteManagedRepositoryAction" method="delete">
       <result name="input">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/deleteRepository.jsp</result>
       <result name="success" type="redirect-action">repositories</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="addRemoteRepository" class="addRemoteRepositoryAction" method="input">
@@ -394,7 +414,9 @@
     <action name="deleteProxyConnector" class="deleteProxyConnectorAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/deleteProxyConnector.jsp</result>
       <result name="success" type="redirect-action">proxyConnectors</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
     
     <action name="enableProxyConnector" class="enableProxyConnectorAction" method="confirm">
@@ -406,7 +428,9 @@
     <action name="disableProxyConnector" class="disableProxyConnectorAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/disableProxyConnector.jsp</result>
       <result name="success" type="redirect-action">proxyConnectors</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>  
+      </interceptor-ref>
     </action>
 
 
@@ -431,13 +455,17 @@
     <action name="saveNetworkProxy" class="configureNetworkProxyAction" method="save">
       <result name="input">/WEB-INF/jsp/admin/editNetworkProxy.jsp</result>
       <result name="success" type="redirect-action">networkProxies</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <action name="deleteNetworkProxy" class="configureNetworkProxyAction" method="confirm">
       <result name="input">/WEB-INF/jsp/admin/deleteNetworkProxy.jsp</result>
       <result name="success" type="redirect-action">networkProxies</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
     <!-- .\ REPOSITORY SCANNING \._____________________________________ -->
@@ -447,6 +475,9 @@
       <result name="success" type="redirect-action">
         <param name="actionName">repositoryScanning</param>
       </result>
+      <interceptor-ref name="configuredArchivaStack">
+        <param name="tokenSession.includeMethods">removeFiletypePattern,addFiletypePattern,updateKnownConsumers,updateInvalidConsumers</param>
+      </interceptor-ref>
     </action>
 
     <!-- .\ DATABASE \.________________________________________________ -->
@@ -456,6 +487,9 @@
       <result name="success" type="redirect-action">
         <param name="actionName">database</param>
       </result>
+      <interceptor-ref name="configuredArchivaStack">
+        <param name="tokenSession.includeMethods">updateSchedule,updateUnprocessedConsumers,updateCleanupConsumers</param>
+      </interceptor-ref>
     </action>
 
     <action name="updateDatabase" class="schedulerAction" method="updateDatabase">
@@ -504,7 +538,9 @@
       <result name="input">/WEB-INF/jsp/admin/legacyArtifactPath.jsp</result>
       <result name="error">/WEB-INF/jsp/admin/legacyArtifactPath.jsp</result>
       <result name="success" type="redirect-action">legacyArtifactPath</result>
-      <interceptor-ref name="configuredPrepareParamsStack"/>
+      <interceptor-ref name="configuredPrepareParamsStack">
+        <param name="tokenSession.includeMethods">*</param>
+      </interceptor-ref>
     </action>
 
   </package>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/database.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/database.jsp
index 23dfa4155..8122764bb 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/database.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/database.jsp
@@ -48,6 +48,7 @@
 
   <s:form method="post" action="database!updateSchedule" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>
     <table>
       <s:textfield name="cron" label="Cron" size="40" theme="xhtml" />
       <tr>
@@ -74,6 +75,7 @@
 
     <s:form method="post" action="database!updateUnprocessedConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>         
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>
@@ -129,6 +131,7 @@
 
     <s:form method="post" action="database!updateCleanupConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
index cdd817d9d..19156a36e 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
@@ -46,6 +46,7 @@
 
   <s:form method="post" action="deleteNetworkProxy!delete" namespace="/admin" validate="true">
     <s:hidden name="proxyid"/>
+    <s:token/>
     <s:submit value="Delete"/>
   </s:form>
 </div>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
index 3a12af02f..fb56d264e 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp
@@ -47,6 +47,7 @@
   <s:form method="post" action="deleteProxyConnector!delete" namespace="/admin" validate="true">
     <s:hidden name="target"/>
     <s:hidden name="source"/>
+    <s:token/>
     <s:submit value="Delete"/>
   </s:form>
 </div>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
index 9c6b42db1..5f925e579 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
@@ -63,6 +63,7 @@
 
   <s:form method="post" action="deleteRepository" namespace="/admin" validate="true" theme="simple">
     <s:hidden name="repoid"/>
+    <s:token/>
     <div class="buttons">
       <s:submit value="Delete Configuration Only" method="deleteEntry" />
       <s:submit value="Delete Configuration and Contents" method="deleteContents" />
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
index 83d130f25..69bbd0db4 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp
@@ -56,6 +56,7 @@
   <s:form method="post" action="deleteRepositoryGroup" namespace="/admin" validate="true" theme="simple">
     <s:hidden name="repoGroupId"/>
     <div class="buttons">
+      <s:token/>
       <s:submit value="Confirm" method="delete"/>
       <s:submit value="Cancel" method="execute"/>
     </div>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
index b496b4122..52c69ba8c 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp
@@ -43,6 +43,7 @@
   <s:form method="post" action="disableProxyConnector!disable" namespace="/admin" validate="true">
     <s:hidden name="target"/>
     <s:hidden name="source"/>
+    <s:token/>
     <s:submit value="Disable"/>
   </s:form>
 </div>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
index 29f8ffef6..f7dd33ec0 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
@@ -50,6 +50,7 @@
   
   <s:form method="post" action="saveNetworkProxy" namespace="/admin">
     <s:hidden name="mode"/>
+    <s:token/>
     
 	<c:choose>
 	  <c:when test="${mode == 'edit'}">
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
index 0a0167c62..2cb6bdcae 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
@@ -73,8 +73,11 @@
 <div class="controls">
     <%-- TODO: make some icons --%>
   <redback:ifAnyAuthorized permissions="archiva-manage-configuration">
+    <s:token/>
     <s:url id="deleteLegacyArtifactPath" action="deleteLegacyArtifactPath">
       <s:param name="path" value="%{#attr.legacyArtifactPath.path}"/>
+      <s:param name="struts.token.name">struts.token</s:param>
+      <s:param name="struts.token"><s:property value="struts.token"/></s:param>
     </s:url>
     <s:a href="%{deleteLegacyArtifactPath}">
       <img src="<c:url value="/images/icons/delete.gif" />" alt="" width="16" height="16"/>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
index 44eb18a04..33aec91c5 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
@@ -71,11 +71,14 @@
       <div class="controls">
       <redback:ifAnyAuthorized
         permissions="archiva-manage-configuration">
+        <s:token/>
         <s:url id="editNetworkProxyUrl" action="editNetworkProxy">
           <s:param name="proxyid" value="%{#attr.proxy.id}" />
         </s:url>
         <s:url id="deleteNetworkProxyUrl" action="deleteNetworkProxy" method="confirm">
           <s:param name="proxyid" value="%{#attr.proxy.id}" />
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <s:a href="%{editNetworkProxyUrl}">
           <img src="<c:url value="/images/icons/edit.png" />" />
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
index 83a915c86..c42ba4f54 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp
@@ -113,6 +113,7 @@
   <div class="connector ${rowColor}"> 
     <div class="controls">
       <redback:ifAnyAuthorized permissions="archiva-manage-configuration">
+        <s:token/>
         <s:url id="sortDownProxyConnectorUrl" action="sortDownProxyConnector">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
@@ -128,6 +129,8 @@
         <s:url id="deleteProxyConnectorUrl" action="deleteProxyConnector" method="confirmDelete">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <s:url id="enableProxyConnectorUrl" action="enableProxyConnector" method="confirmEnable">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
@@ -136,6 +139,8 @@
         <s:url id="disableProxyConnectorUrl" action="disableProxyConnector" method="confirmDisable">
           <s:param name="source" value="%{#attr.connector.sourceRepoId}"/>
           <s:param name="target" value="%{#attr.connector.targetRepoId}"/>
+          <s:param name="struts.token.name">struts.token</s:param>
+          <s:param name="struts.token"><s:property value="struts.token"/></s:param>
         </s:url>
         <c:if test="${connector.disabled}">
             <s:a href="%{enableProxyConnectorUrl}" title="Enable Proxy Connector">
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
index 21e584e0f..8050fc39f 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
@@ -88,8 +88,11 @@
     <s:url id="editRepositoryUrl" action="editRepository">
       <s:param name="repoid" value="%{#attr.repository.id}"/>
     </s:url>
+    <s:token/>
     <s:url id="deleteRepositoryUrl" action="confirmDeleteRepository">
       <s:param name="repoid" value="%{#attr.repository.id}"/>
+      <s:param name="struts.token.name">struts.token</s:param>
+      <s:param name="struts.token"><s:property value="struts.token"/></s:param>
     </s:url>
     <s:a href="%{editRepositoryUrl}">
       <img src="<c:url value="/images/icons/edit.png" />" alt="" width="16" height="16"/>
@@ -299,8 +302,11 @@
               <img src="<c:url value="/images/icons/edit.png" />" alt="" width="16" height="16"/>
               Edit
             </s:a>
+            <s:token/>
             <s:url id="deleteRepositoryUrl" action="confirmDeleteRemoteRepository">
               <s:param name="repoid" value="%{#attr.repository.id}"/>
+              <s:param name="struts.token.name">struts.token</s:param>
+              <s:param name="struts.token"><s:property value="struts.token"/></s:param>
             </s:url>
             <s:a href="%{deleteRepositoryUrl}">
               <img src="<c:url value="/images/icons/delete.gif" />" alt="" width="16" height="16"/>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
index 5804cbb95..ec7c8c2dd 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp
@@ -50,6 +50,7 @@
     <s:form action="addRepositoryGroup" namespace="/admin">
       <span class="label">Identifier<span style="color:red">*</span>:</span> 
       <s:textfield size="10" label="Identifier" theme="simple" name="repositoryGroup.id"/>
+      <s:token/>
       <s:submit value="Add Group" theme="simple" cssClass="button"/>
     </s:form>
   </redback:ifAnyAuthorized>
@@ -71,8 +72,11 @@
   <div class="managedRepo">
     
     <div style="float:right">
+      <s:token/>
       <s:url id="deleteRepositoryGroupUrl" action="confirmDeleteRepositoryGroup">
         <s:param name="repoGroupId" value="%{#attr.repositoryGroup.key}" />
+        <s:param name="struts.token.name">struts.token</s:param>
+        <s:param name="struts.token"><s:property value="struts.token"/></s:param>
       </s:url>
       <s:a href="%{deleteRepositoryGroupUrl}" cssClass="delete">
         <img src="${iconDeleteUrl}"/>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
index 60b59c7f6..5617d5c8f 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp
@@ -40,29 +40,31 @@
 <s:actionmessage /> 
 
 <c:url var="iconDeleteUrl" value="/images/icons/delete.gif" /> 
-<c:url var="iconCreateUrl" value="/images/icons/create.png" /> 
-<s:url id="removeFiletypePatternUrl" action="repositoryScanning" method="removeFiletypePattern" /> 
-<s:url id="addFiletypePatternUrl"    action="repositoryScanning" method="addFiletypePattern" /> 
+<c:url var="iconCreateUrl" value="/images/icons/create.png" />
+<s:url id="removeFiletypePatternUrl" action="repositoryScanning" method="removeFiletypePattern"/>
+<s:url id="addFiletypePatternUrl" action="repositoryScanning" method="addFiletypePattern"/>
    
 <script type="text/javascript">
 <!--
-  function removeFiletypePattern(filetypeId, pattern)
+  function removeFiletypePattern(filetypeId, pattern, token)
   {
      var f = document.getElementById('filetypeForm');
      
      f.action = "${removeFiletypePatternUrl}";
      f['pattern'].value = pattern;
      f['fileTypeId'].value = filetypeId;
+     f.elements['struts2Token'].value = token;
      f.submit();
   }
   
-  function addFiletypePattern(filetypeId, newPatternId)
+  function addFiletypePattern(filetypeId, newPatternId, token)
   {
      var f = document.forms['filetypeForm'];
           
      f.action = "${addFiletypePatternUrl}";     
      f.elements['pattern'].value = document.getElementById(newPatternId).value;
      f.elements['fileTypeId'].value = filetypeId;
+     f.elements['struts2Token'].value = token;     
      f.submit();
   }
 //-->
@@ -82,11 +84,17 @@
     <s:form method="post" action="repositoryScanning" 
              namespace="/admin" validate="false" 
              id="filetypeForm" theme="simple">
+      <s:token/>
       <input type="hidden" name="pattern" />
       <input type="hidden" name="fileTypeId" />
+      <input type="hidden" name="struts2Token"/>
     </s:form>
 
-    <s:url id="addFiletypePatternUrl" action="repositoryScanning" method="addFiletypePattern" />
+    <%-- DUPLICATE? IS THIS STILL NEEDED? --%>
+    <s:url id="addFiletypePatternUrl" action="repositoryScanning" method="addFiletypePattern" >
+      <s:param name="struts.token.name">struts.token</s:param>
+      <s:param name="struts.token"><s:property value="struts.token"/></s:param>
+    </s:url>
 
     <c:forEach items="${fileTypeIds}" var="filetypeId" varStatus="j">
 
@@ -97,6 +105,7 @@
       <h3 class="filetype">${filetypeId}</h3>
 
       <table>
+        <s:token id="struts2TokenUd"/>
         <c:forEach items="${fileTypeMap[filetypeId].patterns}" var="pattern" varStatus="i">
           <c:choose>
             <c:when test='${(i.index)%2 eq 0}'>
@@ -115,7 +124,7 @@
             </td>
             <td class="controls ${bgcolor}">
               <s:a href="#" title="Remove [%{#attr.escapedPattern}] Pattern from [%{#attr.filetypeId}]"
-                    onclick="removeFiletypePattern( '%{#attr.filetypeId}', '%{#attr.escapedPattern}' )" 
+                    onclick="removeFiletypePattern( '%{#attr.filetypeId}', '%{#attr.escapedPattern}', '%{#attr.struts2TokenId}' )" 
                     theme="simple">
                 <img src="${iconDeleteUrl}" />
               </s:a>
@@ -131,7 +140,7 @@
           <td>
             <s:a href="#" 
                   title="Add Pattern to [%{#attr.filetypeId}]"
-                  onclick="addFiletypePattern( '%{#attr.filetypeId}', 'newpattern_%{#attr.j.index}' )"
+                  onclick="addFiletypePattern( '%{#attr.filetypeId}', 'newpattern_%{#attr.j.index}', '%{#attr.struts2TokenId}' )"
                   theme="simple">
               <img src="${iconCreateUrl}" />
             </s:a>
@@ -157,6 +166,7 @@
 
     <s:form method="post" action="repositoryScanning!updateKnownConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>
@@ -213,6 +223,7 @@
 
     <s:form method="post" action="repositoryScanning!updateInvalidConsumers" 
              namespace="/admin" validate="false" theme="simple">
+    <s:token/>         
     <table class="consumers">
       <tr>
         <th>&nbsp;</th>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
index af8993a0a..d518a52d0 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
@@ -36,6 +36,7 @@
   <div id="contentArea">
     <s:form action="deleteArtifact!doDelete" namespace="/" method="post" validate="true">    
       <%@ include file="/WEB-INF/jsp/include/deleteArtifactForm.jspf" %>
+      <s:token/>
       <s:submit/>
     </s:form>
   </div>
diff --git a/pom.xml b/pom.xml
index 915a88efd..b4e4e64a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1102,7 +1102,7 @@
   <properties>
     <maven.version>2.0.8</maven.version>
     <wagon.version>1.0-beta-5</wagon.version>
-    <redback.version>1.2.7</redback.version>
+    <redback.version>1.2.8-SNAPSHOT</redback.version>
     <jetty.version>6.1.19</jetty.version>
     <slf4j.version>1.5.8</slf4j.version>
     <binder.version>0.9</binder.version>