Hi Madhawa, Thanks for reporting this. Seems to be an edge case.
I was able to reproduce it. We are looking into how to mitigate this. Thanks, Dulanja On Tue, Jul 12, 2016 at 4:39 PM, Madhawa Gunasekara <[email protected]> wrote: > Hi Ayoma, > > I found this same error after restarting the server. Please find the steps > to reproduce the issue. > > 1. Start the server, > 2. Go to Management console and do loging and then logout. > 3. Don't close the browser window. > 4. Restart the server. > 5. Open the management console login page in new browser window. > 6. then try to login to the management console by using previous browser > window. > > > Thanks, > Madhawa > > > > On Mon, Jul 11, 2016 at 2:38 PM, Rajith Roshan <[email protected]> wrote: > >> Hi, >> The file upload works fine, this happens only when session expires. This >> is only two scenarios I have mentioned above. There can be other scenarios >> as well this might happen due to session timeout. >> >> Thanks! >> Rajith >> >> On Mon, Jul 11, 2016 at 1:14 PM, Ayoma Wijethunga <[email protected]> wrote: >> >>> Hi Rajith, >>> >>> "org.owasp.csrfguard.ValidateWhenNoSessionExists" is only relevant to >>> session timeout scenario Hasintha mentioned. >>> >>> Regarding "/fileupload/resource", please have a look at "Integration >>> Checklist", last item from [1]. >>> >>> Let's have a look at "/carbon/generic" URL separately and see what is >>> wrong. >>> >>> [1] >>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>> >>> Best Regards, >>> Ayoma. >>> >>> On Sat, Jul 9, 2016 at 3:05 PM, Rajith Roshan <[email protected]> wrote: >>> >>>> Hi Ayoma, >>>> >>>> We are facing this issue when uploading registry resource and uploading >>>> rxts when session gets expired. We have changed the " >>>> org.owasp.csrfguard.ValidateWhenNoSessionExists" property to false. >>>> But it still gives the following error messages [1],[2]. After reloading >>>> the page then issue does not happens. >>>> >>>> [1] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >>>> method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp, >>>> error:request token does not match session token) >>>> [2] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >>>> method:POST, uri:/fileupload/resource, error:request token does not match >>>> session token) >>>> >>>> >>>> On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga <[email protected]> >>>> wrote: >>>> >>>>> Hi Team, >>>>> >>>>> We identified that disabling "ValidateWhenNoSessionExists" property >>>>> similar to following can resolve original session-timeout issue raised by >>>>> Hasintha. >>>>> >>>>> org.owasp.csrfguard.ValidateWhenNoSessionExists = false >>>>> >>>>> >>>>> Please add below lines in product "distribution" pom file to correct >>>>> this behavior. This was further updated in [1] and [2] (Integration >>>>> Checklist). >>>>> >>>>> <!-- Update Owasp.CsrfGuard.properties file >>>>>>> with ValidateWhenNoSessionExists to disable validation on requests made >>>>>>> with no valid session --> >>>>>> >>>>>> <replace >>>>>>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties" >>>>>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true" >>>>>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/> >>>>>> >>>>>> >>>>> [1] >>>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit >>>>> [2] >>>>> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit# >>>>> >>>>> Thank you, >>>>> Ayoma. >>>>> >>>>> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Original issue reported by Hasintha is relevant to how we handle >>>>>>> session timeout conditions with CSRFGuard filter. We are working on this >>>>>>> and will update with a resolution. >>>>>>> >>>>>> >>>>>> The reason for this behavior is there's no session-existence check >>>>>> prior to the form POST. Before CSRFGuard this was not a problem, because, >>>>>> upon a failure due to session timeout one of the following would have >>>>>> happened: >>>>>> >>>>>> 1. in the case of an ajaxprocessor - Request would be propagated >>>>>> to the respective admin service, and upon its session non-existence >>>>>> exception, will be redirected to the login page. >>>>>> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext >>>>>> will redirect to the login page before hitting the actual jsp/servlet. >>>>>> >>>>>> Since CSRFGuard is a filter, it intercepts before either of the above >>>>>> happen and sends a 403 forbidden - because that's what it's supposed to >>>>>> do. >>>>>> >>>>>> There's a platform level javascript function called >>>>>> sessionAwareFunction (in main.js) that can be used for this. Registry >>>>>> Browser uses that. We have to send the actual operation we want to do as >>>>>> a >>>>>> callback function to sessionAwareFunction. It will initially do a session >>>>>> validity check via /carbon/admin/jsp/session-validate.jsp and then >>>>>> execute >>>>>> what we want to do. >>>>>> >>>>>> We tried to come up with a centralized solution for this, but failed. >>>>>> Therefore, this need to be fixed at product-level. >>>>>> >>>>>> Please let us know if you see a better solution for this. >>>>>> >>>>>> >>>>>>> In general CSRFGuard should work without any per-page modifications, >>>>>>> since we are using JavaScript based attribute injection and header based >>>>>>> protection for AJAX requests. However, there might be special cases in >>>>>>> which these methodologies fail. Such incidences should be handled >>>>>>> case-by-case and we will be adding all the special cases we identified >>>>>>> in >>>>>>> to the "Integration Checklist" of [1]. >>>>>>> >>>>>>> We had a short offline session with Shavantha on the issue he is >>>>>>> facing and identified that there are methods that use " >>>>>>> *document.createElement('form')*" JavaScript call to build forms >>>>>>> dynamically. Since CSRFGuard JavaScript will not be able to identify >>>>>>> such >>>>>>> forms, it is necessary to add CSRF token manually. Please see the >>>>>>> screenshot attached which is the page source of [2]. In such situations >>>>>>> it >>>>>>> is required to use JSP Taglib to add CSRF token as an additional >>>>>>> parameter. >>>>>>> Please follow [1] for additional details. >>>>>>> >>>>>>> We can of cause arrange quick sessions with teams to check on any >>>>>>> edge-case issues they are facing, relevant to CSRFGuard. >>>>>>> >>>>>>> [1] >>>>>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>>>>>> [2] >>>>>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>>>>>> >>>>>>> Best Regards, >>>>>>> Ayoma. >>>>>>> >>>>>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> [+Dulanjan] >>>>>>>> >>>>>>>> Hi All >>>>>>>> >>>>>>>> When trying to add multiple roles to a user using a feature such as >>>>>>>> *Select >>>>>>>> all from page 1 to page 3* or clicking on a pagination number the >>>>>>>> same error comes and throws an error similar to[1] >>>>>>>> >>>>>>>> [1] >>>>>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>>>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>>>>>> error:required token is missing from the request) >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> Shavantha Weerasinghe >>>>>>>> Senior Software Engineer QA >>>>>>>> WSO2, Inc. >>>>>>>> lean.enterprise.middleware. >>>>>>>> http://wso2.com >>>>>>>> http://wso2.org >>>>>>>> Tel : 94 11 214 5345 >>>>>>>> Fax :94 11 2145300 >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> When trying to perform operations through admin console, once the >>>>>>>>> session is expired we are getting a 403 from admin console. Seems >>>>>>>>> like this >>>>>>>>> occurs due to CSRF filter blocking the request since the session is no >>>>>>>>> longer available at the server side. >>>>>>>>> >>>>>>>>> [2016-07-06 15:34:27,576] WARN >>>>>>>>> {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request >>>>>>>>> forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>>>>>> method:POST, uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, >>>>>>>>> error:request token does not match session token) >>>>>>>>> -- >>>>>>>>> Hasintha Indrajee >>>>>>>>> WSO2, Inc. >>>>>>>>> Mobile:+94 771892453 >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ayoma Wijethunga >>>>>>> Software Engineer >>>>>>> Platform Security Team >>>>>>> WSO2, Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>>>> Blog : http://www.ayomaonline.com >>>>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Dulanja Liyanage >>>>>> Lead, Platform Security Team >>>>>> WSO2 Inc. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Ayoma Wijethunga >>>>> Software Engineer >>>>> Platform Security Team >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>> Blog : http://www.ayomaonline.com >>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Rajith Roshan >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94-72-642-8350 <%2B94-71-554-8430> >>>> >>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> Platform Security Team >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >> >> >> >> -- >> Rajith Roshan >> Software Engineer, WSO2 Inc. >> Mobile: +94-72-642-8350 <%2B94-71-554-8430> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Madhawa Gunasekara* > Software Engineer > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: +94 719411002 <+94+719411002> > blog: *http://madhawa-gunasekara.blogspot.com > <http://madhawa-gunasekara.blogspot.com>* > linkedin: *http://lk.linkedin.com/in/mgunasekara > <http://lk.linkedin.com/in/mgunasekara>* > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
