fixed issuer on login page, added CSRF to login / logout, closes #870, closes #824, closes #875

openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag

@@ -89,7 +89,7 @@
 							<ul class="dropdown-menu pull-right">
 								<li><a href="manage/#user/profile" data-toggle="collapse" data-target=".nav-collapse">${ longName }</a></li>
 								<li class="divider"></li>
-								<li><a href="logout" data-toggle="collapse" data-target=".nav-collapse"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
+								<li><a href="" data-toggle="collapse" data-target=".nav-collapse" class="logoutLink"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
 							</ul>
 						</li>
 	                    </security:authorize>
@@ -105,7 +105,7 @@
 	                    <security:authorize access="hasRole('ROLE_USER')">
 						<li><a href="manage/#user/profile">${ longName }</a></li>
 						<li class="divider"></li>
-						<li><a href="logout"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
+						<li><a href="" class="logoutLink"><i class="icon-remove"></i> <spring:message code="topbar.logout"/></a></li>
 	                    </security:authorize>
 	                    <security:authorize access="!hasRole('ROLE_USER')">
 	                    <li>
@@ -113,9 +113,21 @@
 	                    </li>
 	                    </security:authorize>
 	                </ul>
-	                    
+	                <form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }logout" method="POST" class="hidden" id="logoutForm">
+						<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+					</form>
+	                
 	            </div><!--/.nav-collapse -->
 			</c:if>
         </div>
     </div>
 </div>
+
+<script type="text/javascript">
+	$(document).ready(function() {
+		$('.logoutLink').on('click', function(e) {
+			e.preventDefault();
+			$('#logoutForm').submit();
+		});
+	});
+</script>

openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -37,10 +37,6 @@
 		
 	<mvc:view-controller path="/login" view-name="login" />
 
-	<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
-		<security:intercept-url pattern="/login**" access="permitAll"/>	
-	</security:http>
-	
 	<security:http disable-url-rewriting="true" use-expressions="true"> 
 		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
@@ -52,6 +48,7 @@
 		<security:headers>
 			<security:frame-options policy="DENY" />
 		</security:headers>
+		<security:csrf />
 	</security:http>	
 
 </beans>

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/login.jsp

@@ -26,8 +26,7 @@ $(document).ready(function() {
 
 	<div class="row-fluid">
 		<div class="span6 offset1 well">
-			<form action="<%=request.getContextPath()%>/j_spring_security_check"
+			<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }j_spring_security_check" method="POST">
-				method="POST">
 				<div>
 					<div class="input-prepend input-block-level">
 						<span class="add-on"><i class="icon-user"></i></span>
@@ -41,6 +40,7 @@ $(document).ready(function() {
 					</div>
 				</div>
 				<div>
+					<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
 					<input type="submit" class="btn" value="Login" name="submit">
 				</div>
 			</form>