Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgSaveController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgSaveController.java	(.../OrgSaveController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgSaveController.java	(.../OrgSaveController.java)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -51,6 +51,7 @@
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 /**
  * @author <a href="mailto:fyang@melcoe.mq.edu.au">Fei Yang</a>
@@ -69,7 +70,7 @@
     @Qualifier("adminMessageService")
     private MessageService messageService;
 
-    @RequestMapping(path = "/orgsave")
+    @RequestMapping(path = "/orgsave", method = RequestMethod.POST)
     public String execute(@ModelAttribute OrganisationForm organisationForm, BindingResult bindingResult,
 	    HttpServletRequest request, HttpServletResponse response) throws Exception {
 
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java
===================================================================
diff -u -r1ba40605c8e5fff683288c9c72f5ab2a981ba98a -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java	(.../OrganisationController.java)	(revision 1ba40605c8e5fff683288c9c72f5ab2a981ba98a)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java	(.../OrganisationController.java)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -231,4 +231,4 @@
 	    status = userManagementService.findAll(OrganisationState.class);
 	}
     }
-}
\ No newline at end of file
+}
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java
===================================================================
diff -u -r002370657c7bc0bf87eef9c223e1778f74483413 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java	(.../UserController.java)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java	(.../UserController.java)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -70,7 +70,7 @@
  * @author Jun-Dir Liew
  */
 @Controller
-@RequestMapping(path = "/user", method = RequestMethod.POST)
+@RequestMapping(path = "/user")
 public class UserController {
     private static Logger log = Logger.getLogger(UserController.class);
 
@@ -89,7 +89,7 @@
     private static List<SupportedLocale> locales;
     private static List<AuthenticationMethod> authenticationMethods;
 
-    @RequestMapping(path = "/edit", method = RequestMethod.POST)
+    @RequestMapping(path = "/edit")
     public String edit(@ModelAttribute UserForm userForm, HttpServletRequest request) throws Exception {
 	if (locales == null) {
 	    locales = userManagementService.findAll(SupportedLocale.class);
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java
===================================================================
diff -u -r29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision 29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -47,6 +47,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 /**
  * @author Jun-Dir Liew
@@ -59,7 +60,7 @@
     private IUserManagementService userManagementService;
     private List<Role> rolelist;
 
-    @RequestMapping(path = "/userorgsave")
+    @RequestMapping(path = "/userorgsave", method = RequestMethod.POST)
     public String execute(@ModelAttribute UserOrgForm userOrgForm, HttpServletRequest request,
 	    HttpServletResponse response) throws Exception {
 
Index: lams_admin/web/config/editconfig.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/config/editconfig.jsp	(.../editconfig.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/config/editconfig.jsp	(.../editconfig.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -27,8 +27,8 @@
 				<c:out value="${error}" />
 			</lams:Alert>
 		</c:if>
-		<c:set var="csrfToken"><csrf:token/></c:set>
 		<form:form action="config/save.do?${csrfToken}" modelAttribute="configForm" id="configForm" method="post">
+			<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				
 			<c:forEach items="${config}" var="group">
 				<div class="panel panel-default">
Index: lams_admin/web/integration/ltiConsumer.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/integration/ltiConsumer.jsp	(.../ltiConsumer.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/integration/ltiConsumer.jsp	(.../ltiConsumer.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -53,8 +53,8 @@
 		</p>
 					
 		<lams:errors path="*"/>
-	<c:set var="csrfToken"><csrf:token/></c:set>			
 		<form:form action="save.do?${csrfToken}" id="ltiConsumerForm" modelAttribute="ltiConsumerForm" method="post">
+			<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 			<form:hidden path="sid" />
 						
 			<table class="table table-no-border">
Index: lams_admin/web/integration/serverlist.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/integration/serverlist.jsp	(.../serverlist.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/integration/serverlist.jsp	(.../serverlist.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -14,7 +14,6 @@
 </lams:head>
     
 <body class="stripes">
-    <c:set var="csrfToken"><csrf:token/></c:set>
 	<lams:Page type="admin" title="${title}">
 		<p>
 			<a href="<lams:LAMSURL/>admin/sysadminstart.do" class="btn btn-default"><fmt:message key="sysadmin.maintain" /></a>
Index: lams_admin/web/integration/servermaintain.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/integration/servermaintain.jsp	(.../servermaintain.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/integration/servermaintain.jsp	(.../servermaintain.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -71,8 +71,8 @@
 	</p>
 	
 	<lams:errors/>
-    <c:set var="csrfToken"><csrf:token/></c:set>
     <form:form action="serversave.do?${csrfToken}" id="extServerForm" modelAttribute="extServerForm" method="post">
+		<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 		<form:hidden path="sid" />
 		
 		<div class="form-group">
Index: lams_admin/web/loginmaintain.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/loginmaintain.jsp	(.../loginmaintain.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/loginmaintain.jsp	(.../loginmaintain.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -21,8 +21,8 @@
 				<fmt:message key="sysadmin.maintain" />
 			</a>
 		</p>
-	<c:set var="csrfToken"><csrf:token/></c:set>	
 		<form:form action="./loginsave.do?${csrfToken}" modelAttribute="loginMaintainForm" id="loginMaintainForm" enctype="multipart/form-data" method="post">
+			<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 			<c:set var="language"><lams:user property="localeLanguage"/></c:set>
 			<p class="help-block"><fmt:message key="sysadmin.login.text"/></p>
 			
Index: lams_admin/web/orgPasswordChange.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/orgPasswordChange.jsp	(.../orgPasswordChange.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/orgPasswordChange.jsp	(.../orgPasswordChange.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -378,6 +378,7 @@
 					</lams:Alert>
 					
 					<form:form action="changePassword.do" modelAttribute="orgPasswordChangeForm" id="orgPasswordChangeForm" method="post">
+						<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 						<form:hidden path="organisationID" />
 						<form:hidden path="orgName" />
 						<form:hidden path="includedLearners" id="includedLearners" />
Index: lams_admin/web/organisation/cloneStart.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/organisation/cloneStart.jsp	(.../cloneStart.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/organisation/cloneStart.jsp	(.../cloneStart.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -185,6 +185,7 @@
 			
 			
 			<form name="cloneForm" id="cloneForm" action="start.do" method="post">
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<input type="hidden" name="method" value="clone">
 				<input type="hidden" name="groupId" value="<c:out value="${org.organisationId}" />">
 				<input type="hidden" name="lessons">
Index: lams_admin/web/organisation/createOrEdit.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/organisation/createOrEdit.jsp	(.../createOrEdit.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/organisation/createOrEdit.jsp	(.../createOrEdit.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -38,6 +38,7 @@
 <body class="stripes">
 	<lams:Page type="admin" title="${title}" formID="organisationForm">
 		<form:form action="../orgsave.do" method="post" modelAttribute="organisationForm" id="organisationForm" onsubmit="return warnIfRemoved()">
+			    <input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="orgId" />
 				<form:hidden path="parentId" />
 				<form:hidden path="typeId" />
Index: lams_admin/web/organisation/deleteAllLessons.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/organisation/deleteAllLessons.jsp	(.../deleteAllLessons.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/organisation/deleteAllLessons.jsp	(.../deleteAllLessons.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -49,7 +49,8 @@
 			'url'     : '<lams:LAMSURL/>admin/organisation/deleteAllLessons.do',
 			'data'    : {
 				'limit'  : 5,
-				'orgId'  : ${param.orgId}
+				'orgId'  : ${param.orgId},
+				"<csrf:tokenname/>":"<csrf:tokenvalue/>"
 			},
 			'success' : function(response){
 				try {
Index: lams_admin/web/organisation/list.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/organisation/list.jsp	(.../list.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/organisation/list.jsp	(.../list.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -81,7 +81,7 @@
 								rows += '</td>';
 								
 								rows += '<td>';
-								rows += 	'<a id="' + orgData["id"] + '" href="orgmanage.do?org=' + orgData["id"] + '">';
+								rows += 	'<a id="' + orgData["id"] + '" href="orgmanage.do?<csrf:token/>&org=' + orgData["id"] + '">';
 								rows += 		orgData["name"];
 								rows += 	'</a>';
 								rows += '</td>';
@@ -171,7 +171,7 @@
 								<a href="usermanage.do?org=<c:out value="${orgManageForm.parentId}"/>" id="manageUsers" class="btn btn-default"><i class="fa fa-users"></i> <span class="hidden-xs"><fmt:message key="admin.user.manage" /></span></a>
 								
 								<c:if test="${pageContext.request.isUserInRole('SYSADMIN')}">
-									<a href="clone/start.do?groupId=<c:out value="${orgManageForm.parentId}"/>" class="btn btn-default"><i class="fa fa-clone"></i><span class="hidden-xs"> <fmt:message key="title.clone.lessons" /></span></a>
+								<a href="clone/start.do?groupId=<c:out value="${orgManageForm.parentId}"/>" class="btn btn-default"><i class="fa fa-clone"></i><span class="hidden-xs"> <fmt:message key="title.clone.lessons" /></span></a>
 									<a href="organisation/deleteAllLessonsInit.do?orgId=<c:out value="${orgManageForm.parentId}"/>" class="btn btn-default"><i class="fa fa-bomb"></i><span class="hidden-xs"> <fmt:message key="admin.delete.lessons" /></span></a>
 								</c:if>
 							</div>
@@ -253,7 +253,7 @@
 								</c:if>
 								<input class="btn btn-default" type="button" value="<fmt:message key="admin.user.manage" />" onclick=javascript:document.location='usermanage.do?org=<c:out value="${orgManageForm.parentId}"/>' />
 								<c:if test="${pageContext.request.isUserInRole('SYSADMIN')}">
-										<input class="btn btn-default" type="button" value="<fmt:message key="title.clone.lessons" />" onclick="javascript:document.location='clone/start.do?groupId=<c:out value="${orgManageForm.parentId}"/>';">
+								<input class="btn btn-default" type="button" value="<fmt:message key="title.clone.lessons" />" onclick="javascript:document.location='clone/start.do?groupId=<c:out value="${orgManageForm.parentId}"/>';">
 										<a href="organisation/deleteAllLessonsInit.do?orgId=<c:out value="${orgManageForm.parentId}"/>" class="btn btn-default"><i class="fa fa-bomb"></i><span class="hidden-xs"> <fmt:message key="admin.delete.lessons" /></span></a>
 								</c:if>
 						</div>
@@ -322,4 +322,4 @@
 		</c:if>
 	</lams:Page>
 </body>
-</lams:html>
\ No newline at end of file
+</lams:html>
Index: lams_admin/web/policies/editPolicy.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/policies/editPolicy.jsp	(.../editPolicy.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/policies/editPolicy.jsp	(.../editPolicy.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -70,8 +70,8 @@
 				<fmt:message key="admin.policies.title" />
 			</a>
 		</div>
-	<c:set var="csrfToken"><csrf:token/></c:set>	
     <form:form action="../policyManagement/save.do?${csrfToken}" modelAttribute="policyForm" id="policy-form" cssClass="voffset20" method="post">
+		<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 			<form:hidden path="policyUid" />
 			<form:hidden path="policyId" />
 			<table class="table table-condensed table-no-border">
Index: lams_admin/web/signupmanagement/add.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/signupmanagement/add.jsp	(.../add.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/signupmanagement/add.jsp	(.../add.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -20,8 +20,8 @@
 			<a href="<lams:LAMSURL/>admin/sysadminstart.do" class="btn btn-default"><fmt:message key="sysadmin.maintain" /></a>
 			<a href="<lams:LAMSURL/>admin/signupManagement/start.do" class="btn btn-default loffset5"><fmt:message key="admin.signup.title" /></a>
 		</div>
-		<c:set var="csrfToken"><csrf:token/></c:set>	
 		<form:form action="add.do?${csrfToken}" modelAttribute="signupForm" id="signupForm" method="post">
+			<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="signupOrganisationId" />
 				
 				<table class="table table-condensed table-no-border">
Index: lams_admin/web/themeManagement.jsp
===================================================================
diff -u -r2c2a416960cfa22ad1882d9ef21d3f932efc26d2 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/themeManagement.jsp	(.../themeManagement.jsp)	(revision 2c2a416960cfa22ad1882d9ef21d3f932efc26d2)
+++ lams_admin/web/themeManagement.jsp	(.../themeManagement.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -149,8 +149,8 @@
 				</div>
 				
 				<div class="panel-body">
-				<c:set var="csrfToken"><csrf:token/></c:set>
 				<form:form action="addOrEditTheme.do?${csrfToken}" method="post" modelAttribute="themeForm" id="themeForm">	
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="id" id="id" />
 				
 				<table class="table table-no-border" >
Index: lams_admin/web/timezoneManagement.jsp
===================================================================
diff -u -r1840d1ada2e0a7dc494e83ed0c183f6c98b6da92 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/timezoneManagement.jsp	(.../timezoneManagement.jsp)	(revision 1840d1ada2e0a7dc494e83ed0c183f6c98b6da92)
+++ lams_admin/web/timezoneManagement.jsp	(.../timezoneManagement.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -49,8 +49,8 @@
 			</fmt:message>
 			
 			<lams:errors/>
-		<c:set var="csrfToken"><csrf:token/></c:set>	
         <form:form action="save.do?${csrfToken}" id="timezoneForm" modelAttribute="timezoneForm" method="post">
+			<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				
 				<table class="table table-striped table-condensed">
 					<tr>
Index: lams_admin/web/user.jsp
===================================================================
diff -u -r002370657c7bc0bf87eef9c223e1778f74483413 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/user.jsp	(.../user.jsp)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
+++ lams_admin/web/user.jsp	(.../user.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -163,8 +163,8 @@
 <body class="stripes">
 	<c:set var="title">${title}: <fmt:message key="admin.user.edit"/></c:set>
 	<lams:Page type="admin" title="${title}" formID="userForm">
-	<c:set var="csrfToken"><csrf:token/></c:set>
-	<form:form id="userForm" action="../usersave/saveUserDetails.do?${csrfToken}" modelAttribute="userForm" method="post">
+	<form:form id="userForm" action="../usersave/saveUserDetails.do" modelAttribute="userForm" method="post">
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="orgId" />
 				<form:hidden path="userId" />
 
Index: lams_admin/web/userChangePass.jsp
===================================================================
diff -u -r24ebb6c91f49a10f1e5718036b3a3c1a80c3314f -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/userChangePass.jsp	(.../userChangePass.jsp)	(revision 24ebb6c91f49a10f1e5718036b3a3c1a80c3314f)
+++ lams_admin/web/userChangePass.jsp	(.../userChangePass.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -86,6 +86,7 @@
 
 <body class="stripes">
 	<form id="userForm" modelAttribute="userForm" action="usersave/changePass.do" method="post">
+		<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 		<input type="hidden" name="userId" value="${param.userId}" />
 		<div class="panel panel-default">
 			<div
@@ -160,4 +161,4 @@
 			</div>
 		</div>
 	</form>
-</body>
\ No newline at end of file
+</body>
Index: lams_admin/web/userorg.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/userorg.jsp	(.../userorg.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/userorg.jsp	(.../userorg.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -36,7 +36,8 @@
 		jQuery(document).ready(function() {
 			jQuery("div#existing").load(
 				"user/basiclist.do", 
-				{orgId: <c:out value="${userOrgForm.orgId}"/>},
+				{orgId: <c:out value="${userOrgForm.orgId}"/>,
+				"<csrf:tokenname/>":"<csrf:tokenvalue/>"},
 				function() {
 					updateExistingTotal();
 					jQuery("li", this).each(function() {
@@ -87,6 +88,7 @@
 				jQuery("div#potential").load(
 					"user/basiclist.do",
 					{orgId: <c:out value="${userOrgForm.orgId}"/>,
+					"<csrf:tokenname/>":"<csrf:tokenvalue/>",
 					potential: potential}, 
 					function() {
 						loadSearchResultsCallback(potential);
@@ -96,6 +98,7 @@
 				jQuery("div#potential").load(
 					"user/searchsingle.do",
 					{term: jQuery("#term").val(),
+					"<csrf:tokenname/>":"<csrf:tokenvalue/>",
 					orgId: <c:out value="${userOrgForm.orgId}"/>}, 
 					function() {
 						loadSearchResultsCallback(potential);
@@ -205,6 +208,7 @@
 				
 				<div id="form" class="pull-right">
 					<form:form action="./userorgsave.do" modelAttribute="userOrgForm" id="userOrgForm" method="post">
+						<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 						<form:hidden path="orgId" />
 						<a href="<lams:LAMSURL/>admin/orgmanage.do?org=1" class="btn btn-default"><fmt:message key="admin.cancel"/></a>
 						<input type="submit" id="nextButton" class="btn btn-primary loffset5" onclick="return populateForm();" value="<fmt:message key="label.next"/>" />
Index: lams_admin/web/userorgrole.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/userorgrole.jsp	(.../userorgrole.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/userorgrole.jsp	(.../userorgrole.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -43,6 +43,7 @@
 		<p><fmt:message key="msg.roles.mandatory.users"/></p>
 		
 		<form:form action="userorgrolesave.do" modelAttribute="userOrgRoleForm" id="userOrgRoleForm" method="post">
+		<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 		<form:hidden path="orgId" />
 		
 		<table class="table table-condensed table-striped table-hover">
Index: lams_admin/web/userrole.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_admin/web/userrole.jsp	(.../userrole.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/userrole.jsp	(.../userrole.jsp)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -18,6 +18,7 @@
 	<lams:Page type="admin" title="${title}" formID="userRolesForm">
 	
 		<form:form action="/lams/admin/userrolessave.do" modelAttribute="userRolesForm" id="userRolesForm" method="post">
+		<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 		<form:hidden path="orgId" />
 		<form:hidden path="userId" />
 		
Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -rae4e7fd3d6b21cb7f41a733565442950cdd9d232 -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision ae4e7fd3d6b21cb7f41a733565442950cdd9d232)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63)
@@ -33,7 +33,21 @@
 org.owasp.csrfguard.protected.adminUserDelete=/lams/admin/user/delete.do
 org.owasp.csrfguard.protected.adminUserSaveDetails=/lams/admin/usersave/saveUserDetails.do
 org.owasp.csrfguard.protected.adminClearnupPreviewLessons=/lams/admin/cleanupPreviewLessons/delete.do
+org.owasp.csrfguard.protected.adminOrgSave=/lams/admin/orgsave.do
 
+org.owasp.csrfguard.protected.adminOrgChangePassword=/lams/admin/orgPasswordChange/start.do
+org.owasp.csrfguard.protected.adminChangePasswordAction=/lams/admin/changePassword.do
+org.owasp.csrfguard.protected.adminOrgChangePasswordAction=/lams/admin/orgPasswordChange/changePassword.do
+org.owasp.csrfguard.protected.adminAssignRoles=/lams/admin/userroles.do
+org.owasp.csrfguard.protected.adminUserRolesSave=/lams/admin/userrolessave.do
+org.owasp.csrfguard.protected.adminUserOrgSave=/lams/admin/userorgsave.do
+org.owasp.csrfguard.protected.adminUserOrgRoleSave=/lams/admin/userorgrolesave.do
+org.owasp.csrfguard.protected.adminUserSearchSingle=/lams/admin/user/searchsingle.do
+org.owasp.csrfguard.protected.adminUserBasicList=/lams/admin/user/basiclist.do
+org.owasp.csrfguard.protected.adminOrgLessonClone=/lams/admin/clone/start.do
+org.owasp.csrfguard.protected.adminLessonsDelete=/lams/admin/organisation/deleteAllLessons.do
+
+
 org.owasp.csrfguard.protected.centralSaveUserProfile=/lams/saveprofile.do
 org.owasp.csrfguard.protected.centralOutcomeSave=/lams/outcome/outcomeSave.do
 org.owasp.csrfguard.protected.centralOutcomeRemove=/lams/outcome/outcomeRemove.do