Hi, The file upload works fine, this happens only when session expires. This is only two scenarios I have mentioned above. There can be other scenarios as well this might happen due to session timeout.
Thanks! Rajith On Mon, Jul 11, 2016 at 1:14 PM, Ayoma Wijethunga <[email protected]> wrote: > Hi Rajith, > > "org.owasp.csrfguard.ValidateWhenNoSessionExists" is only relevant to > session timeout scenario Hasintha mentioned. > > Regarding "/fileupload/resource", please have a look at "Integration > Checklist", last item from [1]. > > Let's have a look at "/carbon/generic" URL separately and see what is > wrong. > > [1] > https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f > > Best Regards, > Ayoma. > > On Sat, Jul 9, 2016 at 3:05 PM, Rajith Roshan <[email protected]> wrote: > >> Hi Ayoma, >> >> We are facing this issue when uploading registry resource and uploading >> rxts when session gets expired. We have changed the >> "org.owasp.csrfguard.ValidateWhenNoSessionExists" >> property to false. But it still gives the following error messages [1],[2]. >> After reloading the page then issue does not happens. >> >> [1] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >> method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp, >> error:request token does not match session token) >> [2] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >> method:POST, uri:/fileupload/resource, error:request token does not match >> session token) >> >> >> On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga <[email protected]> wrote: >> >>> Hi Team, >>> >>> We identified that disabling "ValidateWhenNoSessionExists" property >>> similar to following can resolve original session-timeout issue raised by >>> Hasintha. >>> >>> org.owasp.csrfguard.ValidateWhenNoSessionExists = false >>> >>> >>> Please add below lines in product "distribution" pom file to correct >>> this behavior. This was further updated in [1] and [2] (Integration >>> Checklist). >>> >>> <!-- Update Owasp.CsrfGuard.properties file >>>>> with ValidateWhenNoSessionExists to disable validation on requests made >>>>> with no valid session --> >>>> >>>> <replace >>>>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties" >>>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true" >>>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/> >>>> >>>> >>> [1] >>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit >>> [2] >>> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit# >>> >>> Thank you, >>> Ayoma. >>> >>> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Original issue reported by Hasintha is relevant to how we handle >>>>> session timeout conditions with CSRFGuard filter. We are working on this >>>>> and will update with a resolution. >>>>> >>>> >>>> The reason for this behavior is there's no session-existence check >>>> prior to the form POST. Before CSRFGuard this was not a problem, because, >>>> upon a failure due to session timeout one of the following would have >>>> happened: >>>> >>>> 1. in the case of an ajaxprocessor - Request would be propagated to >>>> the respective admin service, and upon its session non-existence >>>> exception, >>>> will be redirected to the login page. >>>> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext >>>> will redirect to the login page before hitting the actual jsp/servlet. >>>> >>>> Since CSRFGuard is a filter, it intercepts before either of the above >>>> happen and sends a 403 forbidden - because that's what it's supposed to do. >>>> >>>> There's a platform level javascript function called >>>> sessionAwareFunction (in main.js) that can be used for this. Registry >>>> Browser uses that. We have to send the actual operation we want to do as a >>>> callback function to sessionAwareFunction. It will initially do a session >>>> validity check via /carbon/admin/jsp/session-validate.jsp and then execute >>>> what we want to do. >>>> >>>> We tried to come up with a centralized solution for this, but failed. >>>> Therefore, this need to be fixed at product-level. >>>> >>>> Please let us know if you see a better solution for this. >>>> >>>> >>>>> In general CSRFGuard should work without any per-page modifications, >>>>> since we are using JavaScript based attribute injection and header based >>>>> protection for AJAX requests. However, there might be special cases in >>>>> which these methodologies fail. Such incidences should be handled >>>>> case-by-case and we will be adding all the special cases we identified in >>>>> to the "Integration Checklist" of [1]. >>>>> >>>>> We had a short offline session with Shavantha on the issue he is >>>>> facing and identified that there are methods that use " >>>>> *document.createElement('form')*" JavaScript call to build forms >>>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such >>>>> forms, it is necessary to add CSRF token manually. Please see the >>>>> screenshot attached which is the page source of [2]. In such situations it >>>>> is required to use JSP Taglib to add CSRF token as an additional >>>>> parameter. >>>>> Please follow [1] for additional details. >>>>> >>>>> We can of cause arrange quick sessions with teams to check on any >>>>> edge-case issues they are facing, relevant to CSRFGuard. >>>>> >>>>> [1] >>>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>>>> [2] >>>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>>>> >>>>> Best Regards, >>>>> Ayoma. >>>>> >>>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>>>> [email protected]> wrote: >>>>> >>>>>> [+Dulanjan] >>>>>> >>>>>> Hi All >>>>>> >>>>>> When trying to add multiple roles to a user using a feature such as >>>>>> *Select >>>>>> all from page 1 to page 3* or clicking on a pagination number the >>>>>> same error comes and throws an error similar to[1] >>>>>> >>>>>> [1] >>>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>>>> error:required token is missing from the request) >>>>>> >>>>>> >>>>>> Regards, >>>>>> Shavantha Weerasinghe >>>>>> Senior Software Engineer QA >>>>>> WSO2, Inc. >>>>>> lean.enterprise.middleware. >>>>>> http://wso2.com >>>>>> http://wso2.org >>>>>> Tel : 94 11 214 5345 >>>>>> Fax :94 11 2145300 >>>>>> >>>>>> >>>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> When trying to perform operations through admin console, once the >>>>>>> session is expired we are getting a 403 from admin console. Seems like >>>>>>> this >>>>>>> occurs due to CSRF filter blocking the request since the session is no >>>>>>> longer available at the server side. >>>>>>> >>>>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} >>>>>>> - potential cross-site request forgery (CSRF) attack thwarted >>>>>>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>>>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request >>>>>>> token >>>>>>> does not match session token) >>>>>>> -- >>>>>>> Hasintha Indrajee >>>>>>> WSO2, Inc. >>>>>>> Mobile:+94 771892453 >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ayoma Wijethunga >>>>> Software Engineer >>>>> Platform Security Team >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>> Blog : http://www.ayomaonline.com >>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Dulanja Liyanage >>>> Lead, Platform Security Team >>>> WSO2 Inc. >>>> >>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> Platform Security Team >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Rajith Roshan >> Software Engineer, WSO2 Inc. >> Mobile: +94-72-642-8350 <%2B94-71-554-8430> >> > > > > -- > Ayoma Wijethunga > Software Engineer > Platform Security Team > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > Mobile : +94 (0) 719428123 <+94+(0)+719428123> > Blog : http://www.ayomaonline.com > LinkedIn: https://www.linkedin.com/in/ayoma > -- Rajith Roshan Software Engineer, WSO2 Inc. Mobile: +94-72-642-8350 <%2B94-71-554-8430>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
