Hi Pubudu, On Fri, Jul 8, 2016 at 5:29 PM, Pubudu Priyashan <[email protected]> wrote:
> [+Senduran] > > We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack. > > [1] https://wso2.org/jira/browse/ESBJAVA-4741 > This issue has been fixed by applying required filters in property file. We will update the JIRA. Thanks. On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> wrote: > > > On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote: > >> Hi All, >> >> Original issue reported by Hasintha is relevant to how we handle session >> timeout conditions with CSRFGuard filter. We are working on this and will >> update with a resolution. >> > > The reason for this behavior is there's no session-existence check prior > to the form POST. Before CSRFGuard this was not a problem, because, upon a > failure due to session timeout one of the following would have happened: > > 1. in the case of an ajaxprocessor - Request would be propagated to > the respective admin service, and upon its session non-existence exception, > will be redirected to the login page. > 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext will > redirect to the login page before hitting the actual jsp/servlet. > > Since CSRFGuard is a filter, it intercepts before either of the above > happen and sends a 403 forbidden - because that's what it's supposed to do. > > There's a platform level javascript function called sessionAwareFunction > (in main.js) that can be used for this. Registry Browser uses that. We have > to send the actual operation we want to do as a callback function to > sessionAwareFunction. It will initially do a session validity check > via /carbon/admin/jsp/session-validate.jsp and then execute what we want to > do. > > We tried to come up with a centralized solution for this, but failed. > Therefore, this need to be fixed at product-level. > > Please let us know if you see a better solution for this. > > >> In general CSRFGuard should work without any per-page modifications, >> since we are using JavaScript based attribute injection and header based >> protection for AJAX requests. However, there might be special cases in >> which these methodologies fail. Such incidences should be handled >> case-by-case and we will be adding all the special cases we identified in >> to the "Integration Checklist" of [1]. >> >> We had a short offline session with Shavantha on the issue he is facing >> and identified that there are methods that use " >> *document.createElement('form')*" JavaScript call to build forms >> dynamically. Since CSRFGuard JavaScript will not be able to identify such >> forms, it is necessary to add CSRF token manually. Please see the >> screenshot attached which is the page source of [2]. In such situations it >> is required to use JSP Taglib to add CSRF token as an additional parameter. >> Please follow [1] for additional details. >> >> We can of cause arrange quick sessions with teams to check on any >> edge-case issues they are facing, relevant to CSRFGuard. >> >> [1] >> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >> [2] >> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >> >> Best Regards, >> Ayoma. >> >> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >> [email protected]> wrote: >> >>> [+Dulanjan] >>> >>> Hi All >>> >>> When trying to add multiple roles to a user using a feature such as *Select >>> all from page 1 to page 3* or clicking on a pagination number the same >>> error comes and throws an error similar to[1] >>> >>> [1] >>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>> error:required token is missing from the request) >>> >>> >>> Regards, >>> Shavantha Weerasinghe >>> Senior Software Engineer QA >>> WSO2, Inc. >>> lean.enterprise.middleware. >>> http://wso2.com >>> http://wso2.org >>> Tel : 94 11 214 5345 >>> Fax :94 11 2145300 >>> >>> >>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> When trying to perform operations through admin console, once the >>>> session is expired we are getting a 403 from admin console. Seems like this >>>> occurs due to CSRF filter blocking the request since the session is no >>>> longer available at the server side. >>>> >>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} - >>>> potential cross-site request forgery (CSRF) attack thwarted >>>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token >>>> does not match session token) >>>> -- >>>> Hasintha Indrajee >>>> WSO2, Inc. >>>> Mobile:+94 771892453 >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> > > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Jagath Ariyarathne Technical Lead WSO2 Inc. http://wso2.com/ Email: [email protected] Mob : +94 77 386 7048
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
