SEC-2653: ldap-xml logout is post with CSRF token

Author: Rob Winch

samples/ldap-xml/ldap.gradle

@@ -12,6 +12,8 @@ configurations {
 }
 
 dependencies {
+    compile project(':spring-security-taglibs'),
+            jstlDependencies
 
     runtime project(':spring-security-web'),
             project(':spring-security-config'),

samples/ldap-xml/src/main/webapp/secure/extreme/index.jsp

@@ -1,10 +1,15 @@
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
 
 <html>
 <body>
 <h1>VERY Secure Page</h1>
 This is a protected page. You can only see me if you are a supervisor.
 
 <p><a href="../../">Home</a>
-<p><a href="../../j_spring_security_logout">Logout</a>
+<form action="<c:url value="/j_spring_security_logout"/>" method="post">
+<input type="submit" value="Logoff"/>
+<security:csrfInput/>
+</form>
 </body>
 </html>

samples/ldap-xml/src/main/webapp/secure/index.jsp

@@ -1,4 +1,7 @@
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
 <html>
+<head><title>Secure Page</title></head>
 <body>
 <h1>Secure Page</h1>
 This is a protected page. You can get to me if you've been remembered,
@@ -10,6 +13,9 @@ or if you've authenticated this session.<br><br>
 
 
 <p><a href="../">Home</a>
-<p><a href="../j_spring_security_logout">Logout</a>
+<form action="<c:url value="/j_spring_security_logout"/>" method="post">
+<input type="submit" value="Logoff"/> (also clears any remember-me cookie)
+<security:csrfInput/>
+</form>
 </body>
 </html>