Hi Karthik,

Can you modify the SERVER/repository/conf/carbon.xml file and disable the
XSS and CSRF valves using following config.

        <XSSPreventionConfig>

*                <Enabled>false</Enabled>*

        <CSRFPreventionConfig>
*                <Enabled>false</Enabled>*


Then restart the server and check if you get the same issue. Let us know
the output so we can assist you to get the issue fixed.

Please not that above is just to check if the CSRF and XSS valves are
causing this issue, as it's not recommended to turn off security features
in the product.

Regards,
TharinduE

On Thu, Aug 10, 2017 at 10:18 AM, Tharindu Edirisinghe <tharin...@wso2.com>
wrote:

> Hi Karthik,
>
> Here I am forwarding this email to WSO2 Dev mail group, since this is not
> related to a security issue in WSO2 products/services.
>
> Regards,
> Tharindu
>
> On Thu, Aug 10, 2017 at 10:07 AM, Karthik Saravanan <
> karthik_sarava...@persistent.com> wrote:
>
>> Hi WSO2 team,
>>
>> I am stuck deep in a problem. Your help will be very much appreciated.
>>
>>
>>
>> 1.       We had WSO2  running in our environment for a long time. We had
>> a JSP based client application to perform bulk upload of Users and this was
>> working fine.
>>
>> 2.       Since yesterday the bulk upload functionality is failing with
>> an exception  shown below and was reported to us by the client. The client
>> side JSP code has never been changed at all since 2 yrs.
>>
>>
>>
>> org.wso2.carbon.identity.mgt.stub.UserInformationRecoverySer
>> viceIdentityMgtServiceExceptionException: UserInformationRecoveryService
>> IdentityMgtServiceExceptionException
>>
>>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>>
>>         at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>> ConstructorAccessorImpl.java:57)
>>
>>         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>> legatingConstructorAccessorImpl.java:45)
>>
>>         at java.lang.reflect.Constructor.newInstance(Constructor.java:5
>> 26)
>>
>>         at java.lang.Class.newInstance(Class.java:383)
>>
>>         at org.wso2.carbon.identity.mgt.stub.UserInformationRecoverySer
>> viceStub.registerUser(UserInformationRecoveryServiceStub.java:685)
>>
>>         at org.wso2.sample.inforecovery.client.UserInformationRecoveryC
>> lient.registerUser(UserInformationRecoveryClient.java:280)
>>
>>         at org.genwi.clients.bemis.BemisClient.addBemisUser(BemisClient
>> .java:172)
>>
>>         at org.wso2.sample.inforecovery.controller.SelfSignupController
>> .handleBulkUpload(SelfSignupController.java:336)
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 3.       For past 2 months when we restarted the servers It used to only
>> check for patches and find no new patches and therefore start the servers
>> properly stating there are no patches to apply. The last patch was in March
>> 2017
>>
>> 4.       However when I restarted WSO2 yesterday it said it found a new
>> patch
>>
>>
>>
>> [2017-08-09 09:44:27,178]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  
>> org.wso2.carbon.identity.application.authenticator.requestpath.oauth_4.2.0.jar
>> has been added
>>
>> [2017-08-09 09:44:27,178]  INFO 
>> {org.wso2.carbon.server.extensions.PatchInstaller}
>> -  Patch changes detected
>>
>> [2017-08-09 09:44:27,178]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  Applying patches ...
>>
>> [2017-08-09 09:44:27,178]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  restoring bundle backup directory
>>
>> [2017-08-09 09:54:20,390]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  Checking for patch changes ...
>>
>> [2017-08-09 09:54:20,392]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0000
>>
>> [2017-08-09 09:54:20,392]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0001
>>
>> [2017-08-09 09:54:20,392]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0002
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0003
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0004
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0005
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0006
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0007
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0008
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch0009
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch1016
>>
>> [2017-08-09 09:54:20,393]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  New patch available - patch1464
>>
>> [2017-08-09 09:54:20,595]  INFO 
>> {org.wso2.carbon.server.extensions.PatchInstaller}
>> -  Patch changes detected
>>
>> [2017-08-09 09:54:20,595]  INFO {org.wso2.carbon.server.util.PatchUtils}
>> -  Applying patches ...
>>
>>
>>
>>
>>
>> I am not sure if this was because of an abrupt restart that it re applied
>> all the patches to maintain consistency. Ideally I wouldn’t expect old
>> patches causing any issues because they were anyways applied once.
>>
>>
>>
>>
>>
>>
>>
>> Can you please help. I am really stuck.
>>
>>
>>
>> Thanks
>>
>> Karthik
>>
>>
>>
>>
>> DISCLAIMER
>> ==========
>> This e-mail may contain privileged and confidential information which is
>> the property of Persistent Systems Ltd. It is intended only for the use of
>> the individual or entity to which it is addressed. If you are not the
>> intended recipient, you are not authorized to read, retain, copy, print,
>> distribute or use this message. If you have received this communication in
>> error, please notify the sender and delete all copies of this message.
>> Persistent Systems Ltd. does not accept any liability for virus infected
>> mails.
>>
>
>
>
> --
>
> Tharindu Edirisinghe
> Senior Software Engineer | WSO2 Inc
> Platform Security Team
> Blog : http://tharindue.blogspot.com
> mobile : +94 775181586 <+94%2077%20518%201586>
>



-- 

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to