Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r8da0b0783bbfac4bb1fed3a5a5811c2f418fcae7 -r2eb3170d6501ff5206577dcaa8881209033c1f49
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 8da0b0783bbfac4bb1fed3a5a5811c2f418fcae7)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -7,6 +7,7 @@
 # Each key goes into a separate line prefixed with org.owasp.csrfguard.protected.
 # A key suffix must not contain a dot "." character
 org.owasp.csrfguard.protected.centralSaveUserProfile=/lams/saveprofile.do
+org.owasp.csrfguard.protected.forumAuthoringSave=/lams/tool/lafrum11/authoring/update.do
 
 # Actions to take when a CSRF attack is attempted
 org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
Index: lams_tool_forum/src/java/org/lamsfoundation/lams/tool/forum/web/controller/AuthoringController.java
===================================================================
diff -u -rb71c9cb2f96eb891545d32aaca8904051d1e00d5 -r2eb3170d6501ff5206577dcaa8881209033c1f49
--- lams_tool_forum/src/java/org/lamsfoundation/lams/tool/forum/web/controller/AuthoringController.java	(.../AuthoringController.java)	(revision b71c9cb2f96eb891545d32aaca8904051d1e00d5)
+++ lams_tool_forum/src/java/org/lamsfoundation/lams/tool/forum/web/controller/AuthoringController.java	(.../AuthoringController.java)	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -76,6 +76,7 @@
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.multipart.MultipartFile;
 
 /**
@@ -112,7 +113,7 @@
 
 	// update define later flag to true
 	request.setAttribute(AttributeNames.ATTR_MODE, ToolAccessMode.TEACHER);
-	    
+
 	Long contentId = new Long(WebUtil.readLongParam(request, AttributeNames.PARAM_TOOL_CONTENT_ID));
 	Forum forum = forumService.getForumByContentId(contentId);
 
@@ -126,7 +127,7 @@
 
 	return readDatabaseData(forumForm, request);
     }
-    
+
     /**
      * Common method for "start" and "defineLater"
      */
@@ -227,10 +228,9 @@
      * <li>Author user information</li>
      * </ol>
      */
-    @RequestMapping("/update")
+    @RequestMapping(path = "/update", method = RequestMethod.POST)
     public String updateContent(@ModelAttribute ForumForm forumForm, HttpServletRequest request)
 	    throws IllegalAccessException, InvocationTargetException, NoSuchMethodException {
-
 	ToolAccessMode mode = WebUtil.readToolAccessModeAuthorDefaulted(request);
 	request.setAttribute(AttributeNames.ATTR_MODE, mode.toString());
 
@@ -420,7 +420,7 @@
 	Set<Attachment> attSet = null;
 	if (messageForm.getAttachmentFile() != null
 		&& !StringUtils.isEmpty(messageForm.getAttachmentFile().getOriginalFilename())) {
-	    attSet = setupAttachmentSet(messageForm.getAttachmentFile(),  message);
+	    attSet = setupAttachmentSet(messageForm.getAttachmentFile(), message);
 	}
 	message.setAttachments(attSet);
 
@@ -577,7 +577,7 @@
     /* only allow one attachment, so replace whatever */
     private Set<Attachment> setupAttachmentSet(MultipartFile attachmentFile, Message msg) {
 	Attachment att = forumService.uploadAttachment(attachmentFile);
-	Set<Attachment> attSet = new HashSet<Attachment>();
+	Set<Attachment> attSet = new HashSet<>();
 	attSet.add(att);
 	att.setMessage(msg);
 	return attSet;
Index: lams_tool_forum/web/WEB-INF/tlds/security/csrfguard.tld
===================================================================
diff -u
--- lams_tool_forum/web/WEB-INF/tlds/security/csrfguard.tld	(revision 0)
+++ lams_tool_forum/web/WEB-INF/tlds/security/csrfguard.tld	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -0,0 +1,70 @@
+<?xml version="1.0"?>
+<!--
+The OWASP CSRFGuard Project, BSD License
+Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of OWASP nor the names of its contributors may be used
+   to endorse or promote products derived from this software without specific
+   prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ -->
+<taglib xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd" version="2.0">
+	<tlib-version>1.2</tlib-version>
+	<jsp-version>2.0</jsp-version>
+	<short-name>Owasp CsrfGuard Tag Library</short-name>
+	<uri>http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld</uri>
+	<tag>
+		<name>token</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenTag</tag-class>
+		<body-content>empty</body-content>
+		<attribute>
+			<name>uri</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+		</attribute>
+	</tag>
+	<tag>
+		<name>tokenname</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenNameTag</tag-class>
+		<body-content>empty</body-content>
+	</tag>
+	<tag>
+		<name>tokenvalue</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenValueTag</tag-class>
+		<body-content>empty</body-content>
+		<attribute>
+			<name>uri</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+		</attribute>
+	</tag>
+	<tag>
+		<name>a</name>
+		<tag-class>org.owasp.csrfguard.tag.ATag</tag-class>
+		<dynamic-attributes>true</dynamic-attributes>
+	</tag>
+	<tag>
+		<name>form</name>
+		<tag-class>org.owasp.csrfguard.tag.FormTag</tag-class>
+		<dynamic-attributes>true</dynamic-attributes>
+	</tag>
+</taglib>
Index: lams_tool_forum/web/WEB-INF/web.xml
===================================================================
diff -u -rb935721d25817b83c29d3166a7fa9b4b9b7d3785 -r2eb3170d6501ff5206577dcaa8881209033c1f49
--- lams_tool_forum/web/WEB-INF/web.xml	(.../web.xml)	(revision b935721d25817b83c29d3166a7fa9b4b9b7d3785)
+++ lams_tool_forum/web/WEB-INF/web.xml	(.../web.xml)	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -23,7 +23,7 @@
 		<param-name>parentContextKey</param-name>
 		<param-value>context.central</param-value>
 	</context-param>
-
+    
 	<filter>
 		<filter-name>hibernateFilter</filter-name>
 		<filter-class>
@@ -51,7 +51,11 @@
 			<param-value>UTF-8</param-value>
 		</init-param>
 	</filter>
-
+	<filter>
+		<filter-name>CSRFGuard</filter-name>
+		<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
+	</filter>
+	
 	<filter-mapping>
 		<filter-name>hibernateFilter</filter-name>
 		<url-pattern>/*</url-pattern>
@@ -64,7 +68,11 @@
 		<filter-name>LocaleFilter</filter-name>
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
-
+	<filter-mapping>
+		<filter-name>CSRFGuard</filter-name> 
+		<url-pattern>*.do</url-pattern>
+	</filter-mapping>
+	
 	<servlet>
 		<servlet-name>spring</servlet-name>
 		<servlet-class>
@@ -78,7 +86,7 @@
 			org.springframework.web.context.ContextLoaderListener
 		</listener-class>
 	</listener>
-
+    
 	<servlet>
 		<servlet-name>Connector</servlet-name>
 		<servlet-class>net.fckeditor.connector.ConnectorServlet</servlet-class>
@@ -173,7 +181,14 @@
 			<taglib-uri>tags-lams</taglib-uri>
 			<taglib-location>/WEB-INF/tlds/lams/lams.tld</taglib-location>
 		</taglib>
-
+		<!-- ======================================================== -->
+		<!-- CSRF Guard Tag Library -->
+		<!-- ======================================================== -->
+		<taglib>
+			<taglib-uri>csrfguard</taglib-uri>
+			<taglib-location>/WEB-INF/tlds/security/csrfguard.tld</taglib-location>
+		</taglib>
+		
 	</jsp-config>
 
 	<!-- Security Constraint -->
Index: lams_tool_forum/web/common/taglibs.jsp
===================================================================
diff -u -re062c5aeec4bd7e7f970ae5e907e8a7e59edaeaf -r2eb3170d6501ff5206577dcaa8881209033c1f49
--- lams_tool_forum/web/common/taglibs.jsp	(.../taglibs.jsp)	(revision e062c5aeec4bd7e7f970ae5e907e8a7e59edaeaf)
+++ lams_tool_forum/web/common/taglibs.jsp	(.../taglibs.jsp)	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -5,4 +5,5 @@
 <%@ taglib uri="tags-xml" prefix="x" %>
 <%@ taglib uri="tags-lams" prefix="lams" %>
 
- <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %> 
+<%@ taglib uri="csrfguard" prefix="csrf" %> 
+<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %> 
Index: lams_tool_forum/web/jsps/authoring/authoring.jsp
===================================================================
diff -u -rb71c9cb2f96eb891545d32aaca8904051d1e00d5 -r2eb3170d6501ff5206577dcaa8881209033c1f49
--- lams_tool_forum/web/jsps/authoring/authoring.jsp	(.../authoring.jsp)	(revision b71c9cb2f96eb891545d32aaca8904051d1e00d5)
+++ lams_tool_forum/web/jsps/authoring/authoring.jsp	(.../authoring.jsp)	(revision 2eb3170d6501ff5206577dcaa8881209033c1f49)
@@ -36,8 +36,8 @@
 
 	<body class="stripes" onLoad="init()">
 	
-		<form:form action="update.do" method="post" id="forumForm" modelAttribute="forumForm" enctype="multipart/form-data">
-
+		<c:set var="csrfToken"><csrf:token/></c:set>
+		<form:form action="update.do?${csrfToken}" method="post" id="forumForm" modelAttribute="forumForm" enctype="multipart/form-data">
 			<form:hidden path="toolContentID" />
 			<form:hidden path="sessionMapID" />
 			<form:hidden path="contentFolderID" />