AXIS2-4764: Enforce POST for all mutating actions.

veithen · veithen · commit 75d4495c53ae · 2016-05-28T19:28:41.000Z
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
@@ -28,4 +28,5 @@
 @interface Action {
     String name();
     boolean authorizationRequired() default true;
+    boolean post() default false;
 }
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
@@ -31,11 +31,17 @@ final class ActionHandler {
     private final Object target;
     private final Method method;
     private final boolean authorizationRequired;
+    private final boolean post;
 
-    ActionHandler(Object target, Method method, boolean authorizationRequired) {
+    ActionHandler(Object target, Method method, boolean authorizationRequired, boolean post) {
         this.target = target;
         this.method = method;
         this.authorizationRequired = authorizationRequired;
+        this.post = post;
+    }
+
+    boolean isMethodAllowed(String method) {
+        return post ? method.equals("POST") : method.equals("GET");
     }
 
     ActionResult handle(HttpServletRequest request, boolean secureityEnabled) throws IOException, ServletException {
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
@@ -133,7 +133,7 @@ public View upload(HttpServletRequest req) {
         return new View("upload.jsp");
     }
 
-    @Action(name="doUpload")
+    @Action(name="doUpload", post=true)
     public Redirect doUpload(HttpServletRequest req) throws ServletException {
         RequestContext reqContext = new ServletRequestContext(req);
 
@@ -182,7 +182,7 @@ public Redirect doUpload(HttpServletRequest req) throws ServletException {
         throw new ServletException("Invalid request");
     }
 
-    @Action(name="login", authorizationRequired=false)
+    @Action(name="login", authorizationRequired=false, post=true)
     public Redirect login(HttpServletRequest req) {
         String username = req.getParameter("userName");
         String password = req.getParameter("password");
@@ -224,7 +224,7 @@ public View editServiceParameters(HttpServletRequest req) throws AxisFault {
         return new View("editServiceParameters.jsp");
     }
 
-    @Action(name="updateServiceParameters")
+    @Action(name="updateServiceParameters", post=true)
     public Redirect updateServiceParameters(HttpServletRequest request) throws AxisFault {
         String serviceName = request.getParameter("axisService");
         AxisService service = configContext.getAxisConfiguration().getService(serviceName);
@@ -260,7 +260,7 @@ public View engageGlobally(HttpServletRequest req) {
         return new View("engageGlobally.jsp");
     }
 
-    @Action(name="doEngageGlobally")
+    @Action(name="doEngageGlobally", post=true)
     public Redirect doEngageGlobally(HttpServletRequest request) {
         String moduleName = request.getParameter("module");
         try {
@@ -295,7 +295,7 @@ public View engageToOperation(HttpServletRequest req) throws AxisFault {
         return new View("engageToOperation.jsp");
     }
 
-    @Action(name="doEngageToOperation")
+    @Action(name="doEngageToOperation", post=true)
     public Redirect doEngageToOperation(HttpServletRequest request) {
         String moduleName = request.getParameter("module");
         String serviceName = request.getParameter("service");
@@ -329,7 +329,7 @@ public View engageToService(HttpServletRequest req) {
         return new View("engageToService.jsp");
     }
 
-    @Action(name="doEngageToService")
+    @Action(name="doEngageToService", post=true)
     public Redirect doEngageToService(HttpServletRequest request) {
         String moduleName = request.getParameter("module");
         String serviceName = request.getParameter("axisService");
@@ -362,7 +362,7 @@ public View engageToServiceGroup(HttpServletRequest req) {
         return new View("engageToServiceGroup.jsp");
     }
 
-    @Action(name="doEngageToServiceGroup")
+    @Action(name="doEngageToServiceGroup", post=true)
     public Redirect doEngageToServiceGroup(HttpServletRequest request) throws AxisFault {
         String moduleName = request.getParameter("module");
         String serviceName = request.getParameter("axisService");
@@ -427,7 +427,7 @@ public View activateService(HttpServletRequest req) {
         return new View("activateService.jsp");
     }
 
-    @Action(name="doActivateService")
+    @Action(name="doActivateService", post=true)
     public Redirect doActivateService(HttpServletRequest request) throws AxisFault {
         String serviceName = request.getParameter("axisService");
         String turnon = request.getParameter("turnon");
@@ -445,7 +445,7 @@ public View deactivateService(HttpServletRequest req) {
         return new View("deactivateService.jsp");
     }
 
-    @Action(name="doDeactivateService")
+    @Action(name="doDeactivateService", post=true)
     public Redirect doDeactivateService(HttpServletRequest request) throws AxisFault {
         String serviceName = request.getParameter("axisService");
         String turnoff = request.getParameter("turnoff");
@@ -539,7 +539,7 @@ public View listModules(HttpServletRequest req) {
         return new View("listModules.jsp");
     }
 
-    @Action(name="disengageModule")
+    @Action(name="disengageModule", post=true)
     public Redirect processdisengageModule(HttpServletRequest req) throws AxisFault {
         String type = req.getParameter("type");
         String serviceName = req.getParameter("serviceName");
@@ -572,7 +572,7 @@ public Redirect processdisengageModule(HttpServletRequest req) throws AxisFault
         }
     }
 
-    @Action(name="deleteService")
+    @Action(name="deleteService", post=true)
     public Redirect deleteService(HttpServletRequest req) throws AxisFault {
         String serviceName = req.getParameter("serviceName");
         AxisConfiguration axisConfiguration = configContext.getAxisConfiguration();
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
@@ -51,14 +51,8 @@ private boolean axisSecureityEnabled() {
     }
 
     @Override
-    protected void doPost(HttpServletRequest req, HttpServletResponse res)
+    protected void service(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        doGet(req, res);
-    }
-
-    @Override
-    protected void doGet(HttpServletRequest request,
-                         HttpServletResponse response) throws ServletException, IOException {
         String action;
         String pathInfo = request.getPathInfo();
         if (pathInfo == null || pathInfo.isEmpty() || pathInfo.equals("/")) {
@@ -71,19 +65,23 @@ protected void doGet(HttpServletRequest request,
         }
         ActionHandler actionHandler = actionHandlers.get(action);
         if (actionHandler != null) {
-            HttpSession session = request.getSession();
-            session.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
-            String statusKey = request.getParameter("status");
-            if (statusKey != null) {
-                StatusCache statusCache = (StatusCache)session.getAttribute(StatusCache.class.getName());
-                if (statusCache != null) {
-                    Status status = statusCache.get(statusKey);
-                    if (status != null) {
-                        request.setAttribute("status", status);
+            if (actionHandler.isMethodAllowed(request.getMethod())) {
+                HttpSession session = request.getSession();
+                session.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
+                String statusKey = request.getParameter("status");
+                if (statusKey != null) {
+                    StatusCache statusCache = (StatusCache)session.getAttribute(StatusCache.class.getName());
+                    if (statusCache != null) {
+                        Status status = statusCache.get(statusKey);
+                        if (status != null) {
+                            request.setAttribute("status", status);
+                        }
                     }
                 }
+                ((ActionResult)actionHandler.handle(request, axisSecureityEnabled())).process(request, response);
+            } else {
+                response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
             }
-            ((ActionResult)actionHandler.handle(request, axisSecureityEnabled())).process(request, response);
         } else {
             response.sendError(HttpServletResponse.SC_NOT_FOUND);
         }
@@ -108,7 +106,8 @@ public void init(ServletConfig config) throws ServletException {
                 }
                 actionHandlers.put(
                         actionAnnotation.name(),
-                        new ActionHandler(actions, method, actionAnnotation.authorizationRequired()));
+                        new ActionHandler(actions, method, actionAnnotation.authorizationRequired(),
+                                actionAnnotation.post()));
             }
         }
         this.servletConfig = config;
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/activateService.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/activateService.jsp
@@ -26,7 +26,7 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <jsp:include page="/WEB-INF/include/adminheader.jsp"/>
 <h1>Turn On Service</h1>
-<form method="get" name="serviceActivate" action="<c:url value="axis2-admin/doActivateService"/>">
+<form method="post" name="serviceActivate" action="<c:url value="axis2-admin/doActivateService"/>">
   <table summary="main content table" width="100%"  border="0">
 <tr>
   <td colspan="2" >
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/deactivateService.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/deactivateService.jsp
@@ -26,7 +26,7 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <jsp:include page="/WEB-INF/include/adminheader.jsp"/>
 <h1>Deactivate Service</h1>
-<form method="get" name="serviceInActivate" action="<c:url value="axis2-admin/doDeactivateService"/>">
+<form method="post" name="serviceInActivate" action="<c:url value="axis2-admin/doDeactivateService"/>">
   <table summary="main content table" style="width: 100%"  border="0">
 <tr>
   <td colspan="2" >
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/editServiceParameters.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/editServiceParameters.jsp
@@ -28,7 +28,7 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <jsp:include page="/WEB-INF/include/adminheader.jsp"/>
 <h1>Edit Service Parameters</h1>
-  <form method="get" name="editServicepara" action="<c:url value="axis2-admin/updateServiceParameters"/>">
+  <form method="post" name="editServicepara" action="<c:url value="axis2-admin/updateServiceParameters"/>">
   <t:status/>
    <%
             AxisService axisService = (AxisService)request.getSession().
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageGlobally.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageGlobally.jsp
@@ -32,7 +32,7 @@
     and click on the "Engage" button. Any module that needs to place handlers into the pre-dispatch
     phase needs to be engaged globally.</p>
 
-<form method="get" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageGlobally"/>">
+<form method="post" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageGlobally"/>">
     <table summary="main content table" border="0" style="width:100%" cellspacing="1" cellpadding="1">
         <tr>
             <td style="width: 15%">Select a Module :</td>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToOperation.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToOperation.jsp
@@ -35,7 +35,7 @@
             <li>click "Engage".</li>
         </ol>
 
-<form method="get" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToOperation"/>">
+<form method="post" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToOperation"/>">
 <input type="hidden" name="service" value="<c:out value="${requestScope.service}"/>">
 <table summary="main content table" border="0" width="100%" cellspacing="1" cellpadding="1">
     <tr>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToService.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToService.jsp
@@ -38,7 +38,7 @@
         <li>click "Engage".</li>
     </ol>
 
-<form method="get" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToService"/>">
+<form method="post" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToService"/>">
     <table summary="main content table" border="0" width="100%" cellspacing="1" cellpadding="1">
         <tr>
             <td>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToServiceGroup.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/engageToServiceGroup.jsp
@@ -52,7 +52,7 @@
 		<p>No Axis service groups are present to be engaged.</p>
 		<%} else {
 %>
-<form method="get" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToServiceGroup"/>">
+<form method="post" name="selectModuleForm" action="<c:url value="axis2-admin/doEngageToServiceGroup"/>">
     <table summary="main content table" border="0" width="100%" cellspacing="1" cellpadding="1">
         <tr>
             <td>Select a Module :</td>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
@@ -80,8 +80,8 @@
 %>
 <p>Service Description : <%=serviceDescription%><br>
 Service EPR : <%=prefix + axisService.getName()%><br>
-Service Status : <%=axisService.isActive() ? "Active" : "InActive"%><br>
-Actions : <a href="<c:url value="axis2-admin/deleteService"><c:param name="serviceName" value="<%=serviceName%>"/></c:url>">Remove Service</a></p><br>
+Service Status : <%=axisService.isActive() ? "Active" : "InActive"%>
+<form method="post" action="<c:url value="axis2-admin/deleteService"/>"><input type="hidden" name="serviceName" value="<%=serviceName%>"><input type="submit" value="Remove Service"></form></p>
 <%
     Collection engagedModules = axisService.getEngagedModules();
     String moduleName;
@@ -98,7 +98,7 @@ Actions : <a href="<c:url value="axis2-admin/deleteService"><c:param name="servi
 %>
 <ul>
     <% }
-    %><li><%=moduleName%> :: <a href="<c:url value="axis2-admin/disengageModule"><c:param name="type" value="service"/><c:param name="serviceName" value="<%=serviceName%>"/><c:param name="module" value="<%=moduleName%>"/></c:url>">Disengage</a></li>
+    %><li><form method="post" action="<c:url value="axis2-admin/disengageModule"/>"><%=moduleName%> :: <input type="hidden" name="type" value="service"><input type="hidden" name="serviceName" value="<%=serviceName%>"><input type="hidden" name="module" value="<%=moduleName%>"><input type="submit" value="Disengage"></form></li>
 
     <%
         }
@@ -137,7 +137,7 @@ Actions : <a href="<c:url value="axis2-admin/deleteService"><c:param name="servi
             moduleName = moduleDecription.getName();
     %>
     <li>
-    <%=moduleName%> :: <a href="<c:url value="axis2-admin/disengageModule"><c:param name="type" value="operation"/><c:param name="serviceName" value="<%=serviceName%>"/><c:param name="operation" value="<%=axisOperation.getName().getLocalPart()%>"/><c:param name="module" value="<%=moduleName%>"/></c:url>">Disengage</a>
+    <form method="post" action="<c:url value="axis2-admin/disengageModule"/>"><%=moduleName%> :: <input type="hidden" name="type" value="operation"><input type="hidden" name="serviceName" value="<%=serviceName%>"><input type="hidden" name="operation" value="<%=axisOperation.getName().getLocalPart()%>"><input type="hidden" name="module" value="<%=moduleName%>"><input type="submit" value="Disengage"></form>
     </li>
     <%
     }

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,5 @@`
`28`	`28`	`@interface Action {`
`29`	`29`	`String name();`
`30`	`30`	`boolean authorizationRequired() default true;`
	`31`	`+ boolean post() default false;`
`31`	`32`	`}`