request and set the csrf header protection added to brooklyn server

[ahgittin]

Minor tweaks to opt-in to CSRF protection in Brooklyn UI

NB requires apache/brooklyn-server#430
(actually it will work fine without that, but it will be no-op)

[geomacy]

+1 looks good to me to the best of my knowledge. See comment on apache/brooklyn-server#430.

[bostko]

@ahgittin this breaks logout button :(

[ahgittin]

@bostko oh no - pretty sure i tried that but will check

[geomacy]

I didn't check it unfortunately - tried other things but don't normally hit the logout button.

[bostko]

Sorry for disturbing you I think I am wrong that this exactly broke it.
Please accept that as a reminder to test logout.
Logout htaccess can be broken in numerous ways...

[ahgittin]

@bostko what is the problem you're encountering?

i've just tested, running BrooklynJavascriptGuiLauncher with this in my brooklyn.properties:

brooklyn.webconsole.security.users=admin
brooklyn.webconsole.security.user.admin.password=nimda
brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.ExplicitUsersSecurityProvider

logout seems to work fine in every permutation i've tried. note there were some changes to LogoutResource in apache/brooklyn-server#430 -- i did my testing with them ... they're now in master so shouldn't the issue but might be?

[ahgittin]

i see, the problem is the swagger page, @bostko you're addressing in #36 -- commented there

(in general logout is working okay and this PR we think is fine)