From b7d94d1364ebfaca47cbcd9cdc3b4e54510c6068 Mon Sep 17 00:00:00 2001
From: Javier Gayoso <jhavi85@gmail.com>
Date: Thu, 5 Jun 2014 16:11:03 +0200
Subject: [PATCH] Optimized login form - delegated CSRF token creation to
 thymeleaf

Also added additional test to verify behaviour.

Fixes gh-1039
---
 .../src/main/resources/templates/login.html          |  5 ++---
 .../src/main/resources/templates/login.html          |  5 ++---
 .../ui/secure/SampleSecureApplicationTests.java      | 12 ++++++++++++
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
index 6ca32096c09..b126882c189 100644
--- a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
+++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
@@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
index c3cf22e31c7..b126882c189 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
@@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
index 3d6069bf407..758c506601f 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
@@ -69,6 +69,18 @@ public class SampleSecureApplicationTests {
 				entity.getHeaders().getLocation().toString().endsWith(port + "/login"));
 	}
 
+	@Test
+	public void testLoginPage() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		ResponseEntity<String> entity = new TestRestTemplate().exchange(
+				"http://localhost:" + this.port + "/login", HttpMethod.GET, new HttpEntity<Void>(
+						headers), String.class);
+		assertEquals(HttpStatus.OK, entity.getStatusCode());
+		assertTrue("Wrong content:\n" + entity.getBody(),
+				entity.getBody().contains("_csrf"));
+	}
+
 	@Test
 	public void testLogin() throws Exception {
 		HttpHeaders headers = getHeaders();