[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: webadmin: Enable RESTAPI CSRF protection

Thu, 10 Jul 2014 02:08:26 -0700 

Juan Hernandez has uploaded a new change for review.

Change subject: webadmin: Enable RESTAPI CSRF protection
......................................................................

webadmin: Enable RESTAPI CSRF protection

This patch changes the webadmin application so that it will always
request CSRF protection when creating RESTAPI sessions.

Change-Id: I92c41f18bcbb90441f352444dcc78408e8e61b16
Related: https://bugzilla.redhat.com/1077441
Signed-off-by: Juan Hernandez <[email protected]>
(cherry picked from commit 86c27b6f57b9361dce29245324e3eec6314841ef)
---
M 
frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
1 file changed, 5 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/50/29850/1

diff --git 
a/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
 
b/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
index 2605af5..e608b11 100644
--- 
a/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
+++ 
b/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
@@ -104,8 +104,12 @@
 
     RequestBuilder createRequest() {
         RequestBuilder requestBuilder = new RequestBuilder(RequestBuilder.GET, 
restApiBaseUrl);
-        requestBuilder.setHeader("Prefer", "persistent-auth"); //$NON-NLS-1$ 
//$NON-NLS-2$
+        requestBuilder.setHeader("Prefer", "persistent-auth, 
csrf-protection"); //$NON-NLS-1$ //$NON-NLS-2$
         requestBuilder.setHeader("Session-TTL", getSessionTimeout()); 
//$NON-NLS-1$
+        String sessionId = getSessionId();
+        if (sessionId != null) {
+            requestBuilder.setHeader(SESSION_ID_HEADER, sessionId);
+        }
         return requestBuilder;
     }
 


-- 
To view, visit http://gerrit.ovirt.org/29850
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I92c41f18bcbb90441f352444dcc78408e8e61b16
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Juan Hernandez <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to