OF-777 CVE-2015-6973 CSRF protection (part 2)

src/web/audit-policy.jsp

@@ -17,6 +17,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.audit.AuditManager,
                  org.jivesoftware.openfire.user.UserNotFoundException,
@@ -60,6 +61,18 @@
     AuditManager auditManager = XMPPServer.getInstance().getAuditManager();
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         auditManager.setEnabled(auditEnabled);
         auditManager.setAuditMessage(auditMessages);
@@ -187,6 +200,7 @@
 
 <!-- BEGIN 'Set Message Audit Policy' -->
 <form action="audit-policy.jsp" name="f">
+    <input type="hidden" name="csrf" value="csrf">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="audit.policy.policytitle" />
 	</div>

src/web/chatroom-history-settings.jsp

@@ -57,6 +57,18 @@
     HistoryStrategy historyStrat = muc.getHistoryStrategy();
 
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         if (policy != ALL && policy != NONE && policy != NUMBER) {
             errors.put("general", "Please choose a valid chat history policy.");
@@ -116,6 +128,7 @@
 </p>
 
 <form action="chatroom-history-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
 <fieldset>
     <legend><fmt:message key="chatroom.history.settings.policy" /></legend>

src/web/compression-settings.jsp

@@ -24,6 +24,8 @@
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -43,6 +45,17 @@
     boolean serverEnabled = ParamUtils.getBooleanParameter(request, "serverEnabled");
 
     final ConnectionManagerImpl connectionManager = (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (update) {
         // Update c2s compression policy
@@ -86,6 +99,7 @@
 
 <!-- BEGIN compression settings -->
 <form action="compression-settings.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 
 	<div class="jive-contentBox" style="-moz-border-radius: 3px;">
 

src/web/connection-managers-settings.jsp

@@ -27,6 +27,7 @@
                  org.jivesoftware.openfire.multiplex.ConnectionMultiplexerManager,
                  org.jivesoftware.openfire.session.ConnectionMultiplexerSession,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.StringUtils"
     errorPage="error.jsp"
 %>
@@ -58,6 +59,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         // Validate params
         if (managerEnabled) {
@@ -167,6 +180,7 @@
 <%  } %>
 
 <form action="connection-managers-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
 <fieldset>
     <div>

src/web/connection-settings-advanced.jsp

 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.Connection" %>
 <%@ page import="org.jivesoftware.openfire.spi.*" %>
 <%@ page import="java.util.*" %>
@@ -12,9 +14,21 @@
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"  />
 <% webManager.init(request, response, session, application, out ); %>
 <%
-    final boolean update = request.getParameter( "update" ) != null;
+    boolean update = request.getParameter( "update" ) != null;
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     pageContext.setAttribute( "errors", errors );
 
     ConnectionType connectionType = null;
@@ -281,6 +295,7 @@
 </p>
 
 <form action="connection-settings-advanced.jsp?connectionType=${connectionType}&connectionMode=${connectionMode}" onsubmit="selectAllOptions('cipherSuitesEnabled')" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="update" value="true" />
 
     <fmt:message key="connection.advanced.settings.tcp.boxtitle" var="tcpboxtitle"/>

src/web/connection-settings-external-components.jsp

@@ -8,6 +8,8 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ModificationNotAllowedException" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="gnu.inet.encoding.StringprepException" %>
 <%@ page import="java.util.HashMap" %>
@@ -28,8 +30,29 @@
     final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true  ).generateConnectionConfiguration();
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    boolean update = request.getParameter( "update" ) != null;
+    boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
+    String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
+    boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
+    boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
+
+    if (update || permissionUpdate || configToDelete != null || componentAllowed || componentBlocked) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            permissionUpdate = false;
+            configToDelete = null;
+            componentAllowed = false;
+            componentBlocked = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
-    final boolean update = request.getParameter( "update" ) != null;
 
     if ( update && errors.isEmpty() )
     {
@@ -57,7 +80,6 @@
     }
 
     // Process Permission update configuration change.
-    final boolean permissionUpdate = request.getParameter( "permissionUpdate" ) != null;
 
     if ( permissionUpdate && errors.isEmpty() )
     {
@@ -87,7 +109,6 @@
     }
 
     // Process removal of a blacklist or whitelist item.
-    final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
 
     if ( configToDelete != null && !configToDelete.trim().isEmpty() && errors.isEmpty() )
     {
@@ -107,7 +128,6 @@
     }
 
     // Process addition to whitelist.
-    final boolean componentAllowed = request.getParameter( "componentAllowed" ) != null;
     String subdomain = ParamUtils.getParameter( request, "subdomain" ); // shared with blacklist.
     if ( subdomain != null )
     {
@@ -155,7 +175,6 @@
     }
 
     // Process addition to blacklist.
-    final boolean componentBlocked = request.getParameter( "componentBlocked" ) != null;
 
     if ( componentBlocked && errors.isEmpty() )
     {
@@ -267,6 +286,7 @@
 </p>
 
 <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
     <fmt:message key="component.settings.plaintext.boxtitle" var="plaintextboxtitle"/>
     <admin:contentBox title="${plaintextboxtitle}">
@@ -315,6 +335,7 @@
 <fmt:message key="component.settings.allowed" var="allowedTitle" />
 <admin:contentBox title="${allowedTitle}">
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
         <table cellpadding="3" cellspacing="0" border="0" width="100%" >
             <tr valign="top">
                 <td colspan="2">
@@ -372,7 +393,10 @@
                         <td><c:out value="${component.subdomain}"/></td>
                         <td><c:out value="${component.secret}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <c:url var="deleteurl" value="connection-settings-external-components.jsp"><c:param name="deleteConf" value="${component.subdomain}"/></c:url>
+                            <c:url var="deleteurl" value="connection-settings-external-components.jsp">
+                                <c:param name="deleteConf" value="${component.subdomain}"/>
+                                <c:param name="csrf" value="${csrf}"/>
+                            </c:url>
                             <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
@@ -385,6 +409,7 @@
     <br/>
 
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
         <table cellpadding="3" cellspacing="1" border="0">
             <tr>
                 <td nowrap width="1%">
@@ -432,7 +457,10 @@
                         <td>${ status.index + 1}</td>
                         <td><c:out value="${component.subdomain}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <c:url var="deleteurl" value="connection-settings-external-components.jsp"><c:param name="deleteConf" value="${component.subdomain}"/></c:url>
+                            <c:url var="deleteurl" value="connection-settings-external-components.jsp">
+                                <c:param name="deleteConf" value="${component.subdomain}"/>
+                                <c:param name="csrf" value="${csrf}"/>
+                            </c:url>
                             <a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
@@ -445,6 +473,7 @@
     <br/>
 
     <form action="connection-settings-external-components.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
         <table cellpadding="3" cellspacing="1" border="0">
             <tr>
                 <td nowrap width="1%">

src/web/connection-settings-socket-c2s.jsp

@@ -4,6 +4,8 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.openfire.session.ConnectionSettings" %>
 <%@ page import="java.util.HashMap" %>
@@ -22,8 +24,20 @@
     final ConnectionConfiguration plaintextConfiguration  = manager.getListener( connectionType, false ).generateConnectionConfiguration();
     final ConnectionConfiguration legacymodeConfiguration = manager.getListener( connectionType, true  ).generateConnectionConfiguration();
 
-    final boolean update = request.getParameter( "update" ) != null;
+    boolean update = request.getParameter( "update" ) != null;
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if ( update && errors.isEmpty() )
     {
@@ -126,6 +140,7 @@
 </p>
 
 <form action="connection-settings-socket-c2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
     <fmt:message key="ssl.settings.client.plaintext.boxtitle" var="plaintextboxtitle"/>
     <admin:contentBox title="${plaintextboxtitle}">

src/web/connection-settings-socket-s2s.jsp

@@ -4,6 +4,7 @@
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="org.jivesoftware.openfire.server.RemoteServerManager" %>
@@ -22,13 +23,29 @@
 
     final ConnectionConfiguration plaintextConfiguration  = manager.getListener( connectionType, false ).generateConnectionConfiguration();
 
-    final boolean update = request.getParameter( "update" ) != null;
-    final boolean closeSettings = request.getParameter( "closeSettings" ) != null;
-    final boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
-    final boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
-    final String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
+    boolean update = request.getParameter( "update" ) != null;
+    boolean closeSettings = request.getParameter( "closeSettings" ) != null;
+    boolean serverAllowed = request.getParameter( "serverAllowed" ) != null;
+    boolean serverBlocked = request.getParameter( "serverBlocked" ) != null;
+    String configToDelete = ParamUtils.getParameter( request, "deleteConf" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update || closeSettings || serverAllowed || serverBlocked || configToDelete != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            closeSettings = false;
+            serverAllowed = false;
+            serverBlocked = false;
+            configToDelete = null;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if ( update && errors.isEmpty() )
     {
@@ -262,6 +279,7 @@
 </p>
 
 <form action="connection-settings-socket-s2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
     <fmt:message key="server2server.settings.boxtitle" var="boxtitle"/>
     <admin:contentBox title="${boxtitle}">
@@ -290,6 +308,7 @@
 
 <!-- BEGIN 'Idle Connection Settings' -->
 <form action="connection-settings-socket-s2s.jsp?closeSettings" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <fmt:message key="server2server.settings.close_settings" var="idleTitle"/>
     <admin:contentBox title="${idleTitle}">
         <table cellpadding="3" cellspacing="0" border="0">
@@ -329,6 +348,7 @@
 <fmt:message key="server2server.settings.allowed" var="allowedTitle"/>
 <admin:contentBox title="${allowedTitle}">
     <form action="connection-settings-socket-s2s.jsp" method="post">
+        <input type="hidden" name="csrf" value="csrf">
         <table cellpadding="3" cellspacing="0" border="0">
             <tr valign="top">
                 <td width="1%" nowrap>
@@ -357,6 +377,7 @@
     </form>
 
     <form action="connection-settings-socket-s2s.jsp" method="post">
+        <input type="hidden" name="csrf" value="csrf">
         <table class="jive-table" cellpadding="0" cellspacing="0" border="0" width="100%">
             <tr>
                 <th width="1%">&nbsp;</th>
@@ -377,7 +398,11 @@
                             <td><c:out value="${server.domain}"/></td>
                             <td><c:out value="${server.remotePort}"/></td>
                             <td align="center" style="border-right:1px #ccc solid;">
-                                <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
+                                <c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
+                                    <c:param name="deleteConf" value="${server.domain}"/>
+                                    <c:param name="csrf" value="${csrf}"/>
+                                </c:url>
+                                <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                    title="<fmt:message key="global.click_delete" />"
                                         ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                             </td>
@@ -429,7 +454,11 @@
                         <td>${ status.index + 1}</td>
                         <td><c:out value="${server.domain}"/></td>
                         <td align="center" style="border-right:1px #ccc solid;">
-                            <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('connection-settings-socket-s2s.jsp?deleteConf=${server.domain}'); } "
+                                <c:url var="deleteurl" value="connection-settings-socket-s2s.jsp">
+                                    <c:param name="deleteConf" value="${server.domain}"/>
+                                    <c:param name="csrf" value="${csrf}"/>
+                                </c:url>
+                            <a href="#" onclick="if (confirm('<fmt:message key="server2server.settings.confirm_delete" />')) { location.replace('${deleteurl}'); } "
                                title="<fmt:message key="global.click_delete" />"
                                     ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
                         </td>
@@ -440,6 +469,7 @@
     </table>
     <br>
     <form action="connection-settings-socket-s2s.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
         <table cellpadding="3" cellspacing="1" border="0" width="100%">
             <tr>
                 <td nowrap width="1%">

src/web/file-transfer-proxy.jsp

@@ -17,6 +17,8 @@
   - limitations under the License.
 --%>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.filetransfer.proxy.FileTransferProxy" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
@@ -35,6 +37,18 @@
     boolean isUpdated = request.getParameter("update") != null;
     boolean isProxyEnabled = ParamUtils.getBooleanParameter(request, "proxyEnabled");
     int port = ParamUtils.getIntParameter(request, "port", 0);
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (isUpdated) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            isUpdated = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (isUpdated) {
         if (isProxyEnabled) {
@@ -114,6 +128,7 @@ else { %>
 
 <!-- BEGIN 'Proxy Service' -->
 <form action="file-transfer-proxy.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="filetransferproxy.settings.enabled.legend"/>
 	</div>

src/web/group-create.jsp

@@ -25,6 +25,7 @@
     errorPage="error.jsp"
 %>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="java.net.URLEncoder"%>
 <%@ page import="java.util.HashMap"%>
 <%@ page import="java.util.Map" %>
@@ -45,6 +46,19 @@
     String description = ParamUtils.getParameter(request, "description", true);
     
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (create || edit) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            create = false;
+            edit = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -187,6 +201,7 @@
 </p>
 
 <form name="f" action="group-create.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
    <% if (groupName != null) { %>
     <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">

src/web/group-delete.jsp

@@ -35,6 +35,17 @@
     boolean cancel = request.getParameter("cancel") != null;
     boolean delete = request.getParameter("delete") != null;
     String groupName = ParamUtils.getParameter(request,"group");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {
@@ -81,6 +92,7 @@
 </p>
 
 <form action="group-delete.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
 <input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">

src/web/group-edit.jsp

@@ -30,6 +30,7 @@
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="org.jivesoftware.util.StringUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
 <%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.io.UnsupportedEncodingException"%>
@@ -71,6 +72,21 @@
     Group group = groupManager.getGroup(groupName);
     boolean success;
     StringBuffer errorBuf = new StringBuffer();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add || delete || updateMember || update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            delete = false;
+            update = false;
+            updateMember = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (cancel) {
         response.sendRedirect("group-summary.jsp");
@@ -325,6 +341,8 @@
 	<div class="jive-horizontalRule"></div>
 
 <form name="ff" action="group-edit.jsp">
+    <input type="hidden" name="csrf" value="csrf">
+
 <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
 
 
@@ -478,6 +496,7 @@
 		</p>
 
         <form action="group-edit.jsp" method="post" name="f">
+            <input type="hidden" name="csrf" value="csrf">
         <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <input type="hidden" name="add" value="Add"/>
         <table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
@@ -496,6 +515,7 @@
         <% } %>
 
         <form action="group-edit.jsp" method="post" name="main">
+    <input type="hidden" name="csrf" value="csrf">
         <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
             <tr>

src/web/http-bind.jsp

@@ -22,7 +22,7 @@
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="org.jivesoftware.util.Log" %>
-<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.openfire.http.FlashCrossDomainServlet" %>
 <%@ page import="org.jivesoftware.openfire.http.HttpBindManager" %>
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
@@ -83,12 +83,21 @@
 
 <%
     Map<String, String> errorMap = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
     if (request.getParameter("update") != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            errorMap.put("csrf", "CSRF Failure!");
+        } else {
             errorMap = handleUpdate(request);
             // Log the event
             webManager.logEvent("updated HTTP bind settings", null);
         }
+    }
 
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     boolean isHttpBindEnabled = serverManager.isHttpBindEnabled();
     int port = serverManager.getHttpBindUnsecurePort();
     int securePort = serverManager.getHttpBindSecurePort();
@@ -148,6 +157,7 @@
 } %>
 
 <form action="http-bind.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
     <div class="jive-contentBox" style="-moz-border-radius: 3px;">
         <table cellpadding="3" cellspacing="0" border="0">

src/web/import-keystore-certificate.jsp

@@ -3,6 +3,8 @@
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 
@@ -14,7 +16,7 @@
 <% webManager.init(request, response, session, application, out ); %>
 
 <% // Get parameters:
-    final boolean save            = ParamUtils.getParameter(request, "save") != null;
+    boolean save            = ParamUtils.getParameter(request, "save") != null;
     final String privateKey       = ParamUtils.getParameter(request, "privateKey");
     final String passPhrase       = ParamUtils.getParameter(request, "passPhrase");
     final String certificate      = ParamUtils.getParameter(request, "certificate");
@@ -30,6 +32,18 @@
         errors.put( "connectionType", ex.getMessage() );
         connectionType = null;
     }
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (save) {
         if (privateKey == null || privateKey.trim().isEmpty() ) {
@@ -107,6 +121,7 @@
 
 <!-- BEGIN 'Import Private Key and Certificate' -->
 <form action="import-keystore-certificate.jsp?connectionType=${connectionType}" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 
     <c:set var="title"><fmt:message key="ssl.import.certificate.keystore.private-key.title"/></c:set>
     <admin:contentBox title="${title}">

src/web/import-truststore-certificate.jsp

@@ -2,6 +2,8 @@
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
@@ -14,12 +16,24 @@
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"/>
 <%  webManager.init(request, response, session, application, out ); %>
 
-<%  final boolean save             = ParamUtils.getParameter(request, "save") != null;
+<%  boolean save             = ParamUtils.getParameter(request, "save") != null;
     final String alias             = ParamUtils.getParameter(request, "alias");
     final String certificate       = ParamUtils.getParameter(request, "certificate");
     final String storePurposeText  = ParamUtils.getParameter(request, "connectionType");
 
     final Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType;
     try

src/web/manage-updates.jsp

@@ -24,6 +24,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.update.UpdateManager,
                  java.util.HashMap,
@@ -54,6 +55,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
 
         // Validate params
@@ -130,6 +143,7 @@ else if (updateSucess) { %>
 
 <!-- BEGIN manage updates settings -->
 <form action="manage-updates.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 	<!--<div class="jive-contentBoxHeader">
 
 	</div>-->

src/web/media-proxy.jsp

@@ -20,6 +20,7 @@
 
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
@@ -37,10 +38,6 @@
     MediaProxyService mediaProxyService = XMPPServer.getInstance().getMediaProxyService();
 
     boolean stop = request.getParameter("stop") != null;
-    if (stop) {
-        mediaProxyService.stopAgents();
-    }
-
     boolean save = request.getParameter("update") != null;
     boolean success = false;
 
@@ -50,6 +47,22 @@
     int maxPort = mediaProxyService.getMaxPort();
     int echoPort = mediaProxyService.getEchoPort();
     boolean enabled = mediaProxyService.isEnabled();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save || stop) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            stop = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
+
+    if (stop) {
+        mediaProxyService.stopAgents();
+    }
 
     if (save) {
         keepAliveDelay = ParamUtils.getLongParameter(request, "idleTimeout", keepAliveDelay);
@@ -128,6 +141,7 @@
 <% } %>
 
 <form action="media-proxy.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <div class="jive-contentBoxHeader">
         <fmt:message key="mediaproxy.form.label"/>
     </div>
@@ -322,6 +336,7 @@
         </tbody>
     </table>
     <form action="">
+        <input type="hidden" name="csrf" value="csrf">
         <input type="submit" name="stop" value="<fmt:message key="mediaproxy.summary.stopbutton" />"/>
     </form>
 </div>

src/web/muc-create-permission.jsp

@@ -52,6 +52,19 @@
         return;
     }
 
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save || add || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            add = false;
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Get muc server
     MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
 
@@ -192,6 +205,7 @@
 
 <!-- BEGIN 'Permission Policy' -->
 <form action="muc-create-permission.jsp?save" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.policy" />
@@ -231,6 +245,7 @@
 <%  if (mucService.isRoomCreationRestricted()) { %>
 <!-- BEGIN 'Allowed Users' -->
 <form action="muc-create-permission.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.allowed_users" />
@@ -288,7 +303,7 @@
 						  <%= jidDisplay %></a>
 						</td>
 						<td width="1%" align="center">
-							<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
+							<a href="muc-create-permission.jsp?userJID=<%= jid.toString() %>&delete=true&csrf=${csrf}&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
 							 title="<fmt:message key="muc.create.permission.click_title" />"
 							 onclick="return confirm('<fmt:message key="muc.create.permission.confirm_remove" />');"
 							 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/muc-default-settings.jsp

@@ -56,6 +56,18 @@
 
     // Handle a save
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         try {
             int max = Integer.parseInt(maxUsers);
@@ -182,6 +194,7 @@
 
 <!-- BEGIN 'Default Room Settings' -->
 <form action="muc-default-settings.jsp?save" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
         <fmt:message key="muc.default.settings.title" />

src/web/muc-history-settings.jsp

@@ -58,6 +58,18 @@
     HistoryStrategy historyStrat = mucService.getHistoryStrategy();
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         if (policy != ALL && policy != NONE && policy != NUMBER) {
             errors.put("general", "Please choose a valid chat history policy.");
@@ -135,6 +147,7 @@
 
 <!-- BEGIN 'History Settings' -->
 <form action="muc-history-settings.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.history.settings.legend" />

src/web/muc-room-affiliations.jsp

@@ -26,6 +26,7 @@
                  org.jivesoftware.openfire.group.GroupJID,
                  org.jivesoftware.openfire.group.GroupManager,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.StringUtils,
                  org.xmpp.packet.IQ"
     errorPage="error.jsp"
@@ -66,6 +67,18 @@
     }
 
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle an add
     if (add) {
         // do validation
@@ -214,6 +227,7 @@
 <%  } %>
 
 <form action="muc-room-affiliations.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 <input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
 
 <fieldset>
@@ -282,7 +296,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -321,7 +335,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -362,7 +376,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a><%= StringUtils.escapeHTMLTags(nickname) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -401,7 +415,7 @@
                     <%= StringUtils.escapeHTMLTags(userDisplay) %></a>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast&csrf=${csrf}"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/muc-room-delete.jsp

@@ -33,6 +33,17 @@
 <%  // Get parameters //
     boolean cancel = request.getParameter("cancel") != null;
     boolean delete = request.getParameter("delete") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     JID roomJID = new JID(ParamUtils.getParameter(request,"roomJID"));
     String alternateJIDString = ParamUtils.getParameter(request,"alternateJID");
@@ -93,6 +104,7 @@
 </p>
 
 <form action="muc-room-delete.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 
 <fieldset>

src/web/muc-room-edit-form.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.text.DateFormat,
                  java.util.*,
                  org.jivesoftware.openfire.muc.MUCRoom,
@@ -105,6 +106,18 @@
 
     // Handle an save
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (save) {
         // do validation
 
@@ -445,6 +458,7 @@
 <% if (!create) { %>
     <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 <% } %>
+    <input type="hidden" name="csrf" value="csrf">
 <input type="hidden" name="save" value="true">
 <input type="hidden" name="create" value="<%= create %>">
 <input type="hidden" name="roomconfig_persistentroom" value="<%= persistentRoom %>">

src/web/muc-room-occupants.jsp

@@ -21,6 +21,7 @@
                  org.jivesoftware.openfire.muc.MUCRoom,
                  org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.CookieUtils,
                  java.net.URLEncoder,
                  java.text.DateFormat"
     errorPage="error.jsp"
@@ -39,6 +40,17 @@
     String nickName = ParamUtils.getParameter(request,"nickName");
     String kick = ParamUtils.getParameter(request,"kick");
     String roomName = roomJID.getNode();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (kick != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            kick = null;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Load the room object
     MUCRoom room = webManager.getMultiUserChatManager().getMultiUserChatService(roomJID).getChatRoom(roomName);
@@ -162,7 +174,7 @@
             <td><%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %></td>
             <td><%= StringUtils.escapeHTMLTags(role.getRole().toString()) %></td>
             <td><%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %></td>
-            <td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
+            <td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1&csrf=${csrf}" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
         </tr>
         <% } %>
     </tbody>

src/web/muc-service-delete.jsp

@@ -34,6 +34,17 @@
     boolean delete = request.getParameter("delete") != null;
     String mucname = ParamUtils.getParameter(request,"mucname");
     String reason = ParamUtils.getParameter(request,"reason");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Handle a cancel
     if (cancel) {

src/web/muc-service-edit-form.jsp

@@ -19,6 +19,7 @@
 
 <%@ page import="org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
                  org.jivesoftware.util.AlreadyExistsException,
                  java.util.*"
     errorPage="error.jsp"
@@ -46,6 +47,17 @@
     boolean success = request.getParameter("success") != null;
     String mucname = ParamUtils.getParameter(request,"mucname");
     String mucdesc = ParamUtils.getParameter(request,"mucdesc");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Load the service object
     if (!create && !webManager.getMultiUserChatManager().isServiceRegistered(mucname)) {
@@ -153,6 +165,7 @@
 
 <!-- BEGIN 'Service Name'-->
 <form action="muc-service-edit-form.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
 <input type="hidden" name="save" value="true">
 <% if (!create) { %>
 <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">

src/web/muc-sysadmins.jsp

@@ -52,6 +52,19 @@
 
     // Handle a save
     Map<String,String> errors = new HashMap<String,String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (add || delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = false;
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     List<JID> allowedJIDs = new ArrayList<JID>();
     try {
     	if (userJID != null && userJID.trim().length() > 0) {
@@ -163,6 +176,7 @@
 
 <!-- BEGIN 'Administrators' -->
 <form action="muc-sysadmins.jsp?add" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.admins.legend" />

src/web/muc-tasks.jsp

@@ -51,6 +51,19 @@
     MultiUserChatService mucService = webManager.getMultiUserChatManager().getMultiUserChatService(mucname);
 
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (kickSettings || logSettings) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            kickSettings = false;
+            logSettings = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     // Handle an update of the kicking task settings
     if (kickSettings) {
         if (!kickEnabled) {
@@ -187,6 +200,7 @@
 
 <!-- BEGIN 'Idle User Settings' -->
 <form action="muc-tasks.jsp?kickSettings" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.user_setting" />
@@ -228,6 +242,7 @@
 
 <!-- BEGIN 'Conversation Logging' -->
 <form action="muc-tasks.jsp?logSettings" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.conversation.logging" />

src/web/offline-messages.jsp

@@ -62,6 +62,18 @@
 
     // Update the session kick policy if requested
     Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if (update) {
         // Validate params
         if (strategy != BOUNCE && strategy != DROP && strategy != STORE) {
@@ -199,6 +211,7 @@
 
 <!-- BEGIN 'Offline Message Policy' -->
 <form action="offline-messages.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="offline.messages.policy" />
 	</div>

src/web/plugin-admin.jsp

@@ -15,6 +15,8 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.container.Plugin,
                  org.jivesoftware.openfire.container.PluginManager,
@@ -50,12 +52,22 @@
     boolean uploadPlugin = request.getParameter("uploadplugin") != null;
     String url = request.getParameter("url");
     Boolean uploadEnabled = JiveGlobals.getBooleanProperty("plugins.upload.enabled", true);
+    boolean csrf_check = true;
 
     final PluginManager pluginManager = webManager.getXMPPServer().getPluginManager();
 
     List<Plugin> plugins = new ArrayList<Plugin>(pluginManager.getPlugins());
 
     UpdateManager updateManager = XMPPServer.getInstance().getUpdateManager();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+        csrf_check = false;
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (plugins != null) {
         Collections.sort(plugins, new Comparator<Plugin>() {
@@ -65,14 +77,14 @@
         });
     }
 
-    if (downloadRequested) {
+    if (csrf_check && downloadRequested) {
         // Download and install new version of plugin
         updateManager.downloadPlugin(url);
         // Log the event
         webManager.logEvent("downloaded plugin from "+url, null);
     }
 
-    if (deletePlugin != null) {
+    if (csrf_check && deletePlugin != null) {
         File pluginDir = pluginManager.getPluginDirectory(pluginManager.getPlugin(deletePlugin));
         File pluginJar = new File(pluginDir.getParent(), pluginDir.getName() + ".jar");
         // Also try the .war extension.
@@ -87,7 +99,7 @@
         return;
     }
 
-    if (reloadPlugin != null) {
+    if (csrf_check && reloadPlugin != null) {
         for (Plugin plugin : plugins) {
             File pluginDir = pluginManager.getPluginDirectory(plugin);
             if (reloadPlugin.equals(pluginDir.getName())) {
@@ -100,7 +112,7 @@
         }
     }
 
-    if (uploadEnabled && uploadPlugin) {
+    if (csrf_check && uploadEnabled && uploadPlugin) {
         Boolean installed = false;
 
         // Create a factory for disk-based file items
@@ -557,7 +569,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
                 ><img src="images/refresh-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.refresh" />"></a>
     </td>
     <td width="1%" align="center" valign="top" class="<%= update != null ? "update-right" : "line-bottom-border"%>">
-        <a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?deleteplugin=<%= dirName %>'); } "
+        <a href="#" onclick="if (confirm('<fmt:message key="plugin.admin.confirm" />')) { location.replace('plugin-admin.jsp?csrf=${csrf}&deleteplugin=<%= dirName %>'); } "
            title="<fmt:message key="global.click_delete" />"
                 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="global.delete" />"></a>
     </td>
@@ -570,7 +582,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
     String updateURL = update.getURL();
     if (updateURL.endsWith(".jar") || updateURL.endsWith(".zip") || updateURL.endsWith(".war")) {
         // Change it so that the server downloads and installs the new version of the plugin
-        updateURL = "plugin-admin.jsp?download=true&url=" + updateURL;
+        updateURL = "plugin-admin.jsp?csrf=" + csrfParam + "download=true&url=" + updateURL;
     }
 %>
 <tr id="<%= update.hashCode() %>-row">
@@ -633,6 +645,7 @@ else if ("false".equals(request.getParameter("uploadsuccess"))) { %>
     <h3><fmt:message key="plugin.admin.upload_plugin" /></h3>
     <p><fmt:message key="plugin.admin.upload_plugin.info" /></p>
     <form action="plugin-admin.jsp?uploadplugin" enctype="multipart/form-data" method="post">
+        <input type="hidden" name="csrf" value="csrf">
         <input type="file" name="uploadfile" />
         <input type="submit" value="<fmt:message key="plugin.admin.upload_plugin" />" />
     </form>

src/web/private-data-settings.jsp

@@ -39,6 +39,17 @@
 <%  // Get parameters:
     boolean update = request.getParameter("update") != null;
     boolean privateEnabled = ParamUtils.getBooleanParameter(request,"privateEnabled");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     // Get an audit manager:
     PrivateStorage privateStorage = webManager.getPrivateStore();
@@ -72,6 +83,7 @@
 
 <!-- BEGIN 'Set Private Data Policy' -->
 <form action="private-data-settings.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 	<div class="jive-contentBoxHeader">
 		<fmt:message key="private.data.settings.policy" />
 	</div>

src/web/reg-settings.jsp

@@ -20,6 +20,8 @@
 <%@ page import="org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.handler.IQRegisterHandler,
                  org.jivesoftware.openfire.session.LocalClientSession,
+                 org.jivesoftware.util.CookieUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils"
     errorPage="error.jsp"
 %>
@@ -51,6 +53,17 @@
     String blockedIPs = request.getParameter("blockedIPs");
     // Get an IQRegisterHandler:
     IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     if (save) {
         regHandler.setInbandRegEnabled(inbandEnabled);
@@ -138,6 +151,7 @@
 </p>
 
 <form action="reg-settings.jsp">
+    <input type="hidden" name="csrf" value="csrf">
 
 <% if (save) { %>
 

src/web/security-certificate-store-management.jsp

@@ -7,6 +7,9 @@
 <%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreConfiguration" %>
 <%@ page import="java.io.File" %>
 <%@ page import="org.jivesoftware.util.Log" %>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -23,7 +26,19 @@
     pageContext.setAttribute( "connectionTypes", ConnectionType.values() );
     pageContext.setAttribute( "certificateStoreManager", certificateStoreManager );
 
-    final boolean update = request.getParameter("update") != null;
+    boolean update = request.getParameter("update") != null;
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (update) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            update = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
     if ( update ) {
         ConnectionType connectionType = null;
         try {
@@ -130,6 +145,7 @@
     </c:set>
 
     <form action="security-certificate-store-management.jsp" method="post">
+        <input type="hidden" name="csrf" value="csrf">
         <input type="hidden" name="connectionType" value="${connectionType}"/>
 
         <admin:contentBox title="${title}">

src/web/security-keystore-signing-request.jsp

@@ -11,6 +11,7 @@
 <%@page import="org.bouncycastle.asn1.x509.Extension"%>
 <%@page import="org.bouncycastle.asn1.x500.X500NameBuilder"%>
 <%@page import="org.jivesoftware.util.CertificateManager"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.util.HashMap" %>
@@ -27,7 +28,7 @@
     String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
 
      // Get parameters:
-    final boolean save              = ParamUtils.getParameter(request, "save") != null;
+    boolean save              = ParamUtils.getParameter(request, "save") != null;
     final String name               = domain;
     final String organizationalUnit = ParamUtils.getParameter(request, "ou");
     final String organization       = ParamUtils.getParameter(request, "o");
@@ -37,6 +38,18 @@
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<String, String>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (save) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            save = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     IdentityStore identityStore = null;
@@ -160,6 +173,7 @@
 
 <!-- BEGIN 'Issuer information form' -->
 <form action="security-keystore-signing-request.jsp" method="post">
+    <input type="hidden" name="csrf" value="csrf">
     <input type="hidden" name="save" value="true">
     <input type="hidden" name="connectionType" value="${connectionType}">
     <div class="jive-contentBoxHeader">

src/web/security-keystore.jsp

@@ -2,6 +2,8 @@
 <%@page import="java.util.LinkedHashMap"%>
 <%@page import="java.security.PrivateKey"%>
 <%@page import="org.jivesoftware.util.CertificateManager"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page errorPage="error.jsp" %>
 
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
@@ -25,13 +27,27 @@
 <% webManager.init(request, response, session, application, out); %>
 
 <% // Get parameters:
-    final boolean generate          = ParamUtils.getBooleanParameter(request, "generate");
-    final boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
-    final boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
+    boolean generate          = ParamUtils.getBooleanParameter(request, "generate");
+    boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
+    boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
     final String alias              = ParamUtils.getParameter( request, "alias" );
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (generate | delete | importReply) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            generate = false;
+            delete = false;
+            importReply = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     IdentityStore identityStore = null;
@@ -174,7 +190,7 @@
         <c:if test="${not validDSACert or not validRSACert}">
             <admin:infobox type="warning">
                 <fmt:message key="ssl.certificates.keystore.no_installed">
-                    <fmt:param value="<a href='security-keystore.jsp?generate=true&connectionType=${connectionType}'>"/>
+                    <fmt:param value="<a href='security-keystore.jsp?csrf=${csrf}&generate=true&connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
                     <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
@@ -305,7 +321,7 @@
                                     <c:out value="${certificate.publicKey.algorithm}"/>
                                 </td>
                                 <td width="1" align="center">
-                                    <a href="security-keystore.jsp?alias=${alias}&connectionType=${connectionType}&delete=true"
+                                    <a href="security-keystore.jsp?csrf=${csrf}&alias=${alias}&connectionType=${connectionType}&delete=true"
                                        title="<fmt:message key="global.click_delete"/>"
                                        onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                             ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -314,6 +330,7 @@
 
                             <% if (isSigningPending) { %>
                             <form action="security-keystore.jsp?connectionType=${connectionType}" method="post">
+                                <input type="hidden" name="csrf" value="csrf">
                                 <input type="hidden" name="importReply" value="true">
                                 <input type="hidden" name="alias" value="${alias}">
                                 <tr>

src/web/security-truststore.jsp

 <%@ page errorPage="error.jsp"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
-<%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.CookieUtils" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.util.Collections" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
@@ -17,12 +19,24 @@
 <jsp:useBean id="now" class="java.util.Date"/>
 <%  webManager.init(request, response, session, application, out );
 
-    final boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
+    boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
     final String alias            = ParamUtils.getParameter( request, "alias" );
 
     final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<>();
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
+
+    if (delete) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            delete = false;
+            errors.put("csrf", "CSRF Failure!");
+        }
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
     ConnectionType connectionType = null;
     TrustStore trustStore = null;
@@ -207,7 +221,7 @@
                                         <c:out value="${certificate.publicKey.algorithm}"/>
                                     </td>
                                     <td width="1" align="center">
-                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true"
+                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true&csrf=csrf"
                                            title="<fmt:message key="global.click_delete"/>"
                                            onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                                 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>