Hi there, yes, this has probably to do with the CSRF related fixes.
Jackrabbit hasn't got any support for CSRF tokens, so there's no point in trying that.
The simplest possible thing that should work is adding a Referer header field (keep in mind that CSRF protection is about avoiding misbehaving browsers; for non-browser clients you should be able to just modify the request header fields so that the server is happy).
Best regards, Julian On 2016-11-21 07:41, Daniel Rotter wrote:
Hey there, I have been using Jackrabbit in combination with Jackalope (https://github.com/jackalope/jackalope-jackrabbit <https://github.com/jackalope/jackalope-jackrabbit>), but this starts to fail since Jackrabbit 2.12.4. When trying to write something to the workspace, I always get an error like that: [PHPCR\RepositoryException] Unexpected error: CURL Error: Response (HTTP 403): POST --uri: -- array ( 0 => 'http://localhost:8080/server/default/jcr:root/', ) --curl getinfo: -- array ( 'url' => 'http://localhost:8080/server/default/jcr:root/', 'content_type' => 'text/html; charset=iso-8859-1', 'http_code' => 403, 'header_size' => 165, 'request_size' => 7846, 'filetime' => -1, 'ssl_verify_result' => 0, 'redirect_count' => 0, 'total_time' => 0.002591, 'namelookup_time' => 1.7E-5, 'connect_time' => 0.000165, 'pretransfer_time' => 0.000192, 'size_upload' => 7588.0, 'size_download' => 1389.0, 'speed_download' => 536086.0, 'speed_upload' => 2928598.0, 'download_content_length' => 1389.0, 'upload_content_length' => 7588.0, 'starttransfer_time' => 0.0025690000000000001, 'redirect_time' => 0.0, 'redirect_url' => '', 'primary_ip' => '::1', 'certinfo' => array ( ), 'primary_port' => 8080, 'local_ip' => '::1', 'local_port' => 64122, ) --request body (size: 7588 bytes): -- --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-created" Content-Type: jcr-value/date; charset=UTF-8 Content-Transfer-Encoding: 8bit 2016-11-16T10:10:21.000+00:00 --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-changed" Content-Type: jcr-value/date; charset=UTF-8 Content-Transfer-Encoding: 8bit 2016-11-16T10:10:21.000+00:00 --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-published" Content-Type: jcr-value/date; charset=UTF-8 Content-Transfer-Encoding: 8bit 2016-11-16T10:10:21.000+00:00 --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-title" Content-Type: jcr-value/string; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-description" Content-Type: jcr-value/string; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-keywords" Content-Type: jcr-value/string; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-canonicalUrl" Content-Type: jcr-value/string; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-noIndex" Content-Type: jcr-value/boolean; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-noFollow" Content-Type: jcr-value/boolean; charset=UTF-8 Content-Transfer-Encoding: 8bit --07d542fbc64b7d5ee6f9362454e670f5 Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n (truncated) --response body (size: 1389 bytes): -- <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 403 FORBIDDEN</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /server/default/jcr:root/. Reason: <pre> FORBIDDEN</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> </body> </html> --end response body— If I am informed correctly jackalope-jackrabbit uses the WebDAV interface of Jackrabbit. Also, I have seen that the only issue fixed in the 2.12.4 release was https://issues.apache.org/jira/browse/JCR-4009 <https://issues.apache.org/jira/browse/JCR-4009>, which is handling some CSRF stuff. So I think the 403 error we are getting could be related with the fix of that issue (and obviously is, since it is the only thing that changed). I talked to David Buchmann, the main author of jackalope-jackrabbit, and he said there is probably no CSRF handling, and after digging a bit in the code I cannot say otherwise. So I assume that this part is missing. I have already looked at the different requests sent between the jackalope internal client and one delivered by PHPCR, and I see some differences there. For a simple list of nodes command the jackrabbit internal client is sending a GET request, while the implementation of jackalope uses a POST with the content type application/x-www-form-urlencoded. I tried to change that, but I was still not lucky (have explained that in more detail in this issue: https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082 <https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082>) Now my question is how we would have to provide a CSRF token in order to get that working again. It’s a little bit hard to find the missing bits in wireshark without having a clue at all :-) Or am I searching in a completely different path? Kind Regards Daniel
