[Engine-patches] Change in ovirt-engine[master]: webadmin: Enable RESTAPI CSRF protection

Mon, 07 Jul 2014 12:40:09 -0700 

Juan Hernandez has uploaded a new change for review.

Change subject: webadmin: Enable RESTAPI CSRF protection
......................................................................

webadmin: Enable RESTAPI CSRF protection

This patch changes the webadmin application so that it will always
request CSRF protection when creating RESTAPI sessions.

Change-Id: I92c41f18bcbb90441f352444dcc78408e8e61b16
Related: https://bugzilla.redhat.com/1077441
Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com>
---
M 
frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
1 file changed, 4 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/82/29682/1

diff --git 
a/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
 
b/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
index 2605af5..b54ef28 100644
--- 
a/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
+++ 
b/frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
@@ -104,8 +104,11 @@
 
     RequestBuilder createRequest() {
         RequestBuilder requestBuilder = new RequestBuilder(RequestBuilder.GET, 
restApiBaseUrl);
-        requestBuilder.setHeader("Prefer", "persistent-auth"); //$NON-NLS-1$ 
//$NON-NLS-2$
+        requestBuilder.setHeader("Prefer", "persistent-auth, 
csrf-protection"); //$NON-NLS-1$ //$NON-NLS-2$
         requestBuilder.setHeader("Session-TTL", getSessionTimeout()); 
//$NON-NLS-1$
+        if (restApiSessionId != null) {
+            requestBuilder.setHeader(SESSION_ID_HEADER, restApiSessionId);
+        }
         return requestBuilder;
     }
 


-- 
To view, visit http://gerrit.ovirt.org/29682
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I92c41f18bcbb90441f352444dcc78408e8e61b16
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to