[jira] [Created] (WICKET-6466) CSRF Prevention Configurations

Mon, 11 Sep 2017 06:01:34 -0700 

Darshit Patoliya created WICKET-6466:
----------------------------------------

             Summary: CSRF Prevention Configurations
                 Key: WICKET-6466
                 URL: https://issues.apache.org/jira/browse/WICKET-6466
             Project: Wicket
          Issue Type: Improvement
            Reporter: Darshit Patoliya


Hi,
I have used openmeeting in my application and running it on http protocol 
behind nginx proxy, while my application is running on https protocol.
When I am trying to open openmetting login page it will raise 400 error for 
following requests.


{panel:title=Browser Network Tab}
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218&
{panel}


Following error logged in red5.log


{panel:title=red5.log}

2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO  
o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request 
URL: 
http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage,
 Origin: https://xxx.com, action: aborted with error 400 Origin does not 
correspond to request
{panel}

As per my limited knowledge and checking in to the code of wicket, I think it 
is raising because of protocol mismatch between origin and request.

Is there any configurations available in code of wicket to handle this scenario?

FYI : This is my nginx settings for openmeeting, if I have miss something.


{code:java}
location /om/ {
            proxy_set_header   X-Forwarded-Host $host;
            proxy_set_header   Host             $host;
            proxy_set_header   Upgrade          $http_upgrade;
            proxy_pass_header X-CSRFToken;
            proxy_pass http://127.0.0.1:5080/om/;
            proxy_redirect default;
        }

        location /om/public/ {
            alias /opt/om330/webapps/om/public/;
        }

        location /om/css/ {
            alias /opt/om330/webapps/om/css/;
        }

        location /om/images/ {
            alias /opt/om330/webapps/om/images/;
        }

        location /om/js/ {
            alias /opt/om330/webapps/om/js/;
        }
{code}




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to