Thanks Jagath. We will test the fix once it's made available. Cheers, Pubudu.
On Friday, 8 July 2016, Jagath Sisirakumara Ariyarathne <[email protected]> wrote: > Hi Pubudu, > > On Fri, Jul 8, 2016 at 5:29 PM, Pubudu Priyashan <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> [+Senduran] >> >> We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack. >> >> [1] https://wso2.org/jira/browse/ESBJAVA-4741 >> > > This issue has been fixed by applying required filters in property file. > We will update the JIRA. > > Thanks. > > On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> >> >> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected] >> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >> >>> Hi All, >>> >>> Original issue reported by Hasintha is relevant to how we handle session >>> timeout conditions with CSRFGuard filter. We are working on this and will >>> update with a resolution. >>> >> >> The reason for this behavior is there's no session-existence check prior >> to the form POST. Before CSRFGuard this was not a problem, because, upon a >> failure due to session timeout one of the following would have happened: >> >> 1. in the case of an ajaxprocessor - Request would be propagated to >> the respective admin service, and upon its session non-existence >> exception, >> will be redirected to the login page. >> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext will >> redirect to the login page before hitting the actual jsp/servlet. >> >> Since CSRFGuard is a filter, it intercepts before either of the above >> happen and sends a 403 forbidden - because that's what it's supposed to do. >> >> There's a platform level javascript function called sessionAwareFunction >> (in main.js) that can be used for this. Registry Browser uses that. We have >> to send the actual operation we want to do as a callback function to >> sessionAwareFunction. It will initially do a session validity check >> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to >> do. >> >> We tried to come up with a centralized solution for this, but failed. >> Therefore, this need to be fixed at product-level. >> >> Please let us know if you see a better solution for this. >> >> >>> In general CSRFGuard should work without any per-page modifications, >>> since we are using JavaScript based attribute injection and header based >>> protection for AJAX requests. However, there might be special cases in >>> which these methodologies fail. Such incidences should be handled >>> case-by-case and we will be adding all the special cases we identified in >>> to the "Integration Checklist" of [1]. >>> >>> We had a short offline session with Shavantha on the issue he is facing >>> and identified that there are methods that use " >>> *document.createElement('form')*" JavaScript call to build forms >>> dynamically. Since CSRFGuard JavaScript will not be able to identify such >>> forms, it is necessary to add CSRF token manually. Please see the >>> screenshot attached which is the page source of [2]. In such situations it >>> is required to use JSP Taglib to add CSRF token as an additional parameter. >>> Please follow [1] for additional details. >>> >>> We can of cause arrange quick sessions with teams to check on any >>> edge-case issues they are facing, relevant to CSRFGuard. >>> >>> [1] >>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>> [2] >>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>> >>> Best Regards, >>> Ayoma. >>> >>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');>> >>> wrote: >>> >>>> [+Dulanjan] >>>> >>>> Hi All >>>> >>>> When trying to add multiple roles to a user using a feature such as *Select >>>> all from page 1 to page 3* or clicking on a pagination number the same >>>> error comes and throws an error similar to[1] >>>> >>>> [1] >>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>> error:required token is missing from the request) >>>> >>>> >>>> Regards, >>>> Shavantha Weerasinghe >>>> Senior Software Engineer QA >>>> WSO2, Inc. >>>> lean.enterprise.middleware. >>>> http://wso2.com >>>> http://wso2.org >>>> Tel : 94 11 214 5345 >>>> Fax :94 11 2145300 >>>> >>>> >>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected] >>>> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> When trying to perform operations through admin console, once the >>>>> session is expired we are getting a 403 from admin console. Seems like >>>>> this >>>>> occurs due to CSRF filter blocking the request since the session is no >>>>> longer available at the server side. >>>>> >>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} >>>>> - potential cross-site request forgery (CSRF) attack thwarted >>>>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token >>>>> does not match session token) >>>>> -- >>>>> Hasintha Indrajee >>>>> WSO2, Inc. >>>>> Mobile:+94 771892453 >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> Platform Security Team >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> >> _______________________________________________ >> Dev mailing list >> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Jagath Ariyarathne > Technical Lead > WSO2 Inc. http://wso2.com/ > Email: [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> > Mob : +94 77 386 7048 > > -- Sent from Gmail Mobile
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
