Hi Dan,
On Tue, Sep 2, 2014 at 12:19 PM, Daniel Mikusa <dmik...@pivotal.io> wrote:
>
>
> I tried adding this to my manager app and it was triggering a 403. A quick
> investigation showed the 403 was coming from the CRF filter (i.e. 403 with
> direct access, success with nonce in the URL). Maybe you're seeing the
> same thing?
>
> Hi Daniel,
Did you succeed when you used curl on the localhost running the Tomcat
service? So in order to get a nonce in the URL, did you first log in? If
you can list the steps you followed, then I'd appreciate it.
Running Tomcat in DEBUG mode, although it says the following, I still get a
403.
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- No applicable constraint located
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase- Not subject to any
constraint
:
Below is the DEBUG snippet for the request:
----------------- Tomcat Debug log snippet:------------
2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [uriBC] has value
[/manager/heapused.jsp]
2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [semicolon] has
value [-1]
2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [enc] has value
[UTF-8]2014-09-02 16:24:48,419 [catalina-exec-3] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase- Security checking
request GET /manager/heapused.jsp
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[HTML Manager interface (for humans)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Text Manager interface (for scripts)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[HTML Manager interface (for humans)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Text Manager interface (for scripts)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Status interface]' against GET /heapused.jsp -->
false2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[HTML Manager interface (for humans)]' against GET
/heapused.jsp
--> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Text Manager interface (for scripts)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[HTML Manager interface (for humans)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- Checking constraint
'SecurityConstraint[Text Manager interface (for scripts)]' against GET
/heapused.jsp --> false
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.realm.RealmBase- No applicable constraint located
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase- Not subject to any
constraint
2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
org.apache.tomcat.util.http.Parameters- Set encoding to UTF-8
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- JspEngine --> /WEB-INF/jsp/403.jsp
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- ServletPath:
/WEB-INF/jsp/403.jsp
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- PathInfo: null
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- RealPath:
/opt/tomcat/mgmt/apache/webapps/manager/WEB-INF/jsp/403.jsp
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- RequestURI:
/manager/WEB-INF/jsp/403.jsp
2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
org.apache.jasper.servlet.JspServlet- QueryString: null
2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
org.apache.catalina.loader.WebappClassLoader-
loadClass(hudson.util.SequentialExecutionQueue$QueueEntry, false)
2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
org.apache.catalina.loader.WebappClassLoader- Searching local repositories
2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
org.apache.catalina.loader.WebappClassLoader-
findClass(hudson.util.SequentialExecutionQueue$QueueEntry)
2014-09-02 16:24:48,428 [Jenkins cron thread] DEBUG
org.apache.catalina.loader.WebappClassLoader- Loading class from local
repository
2014-09-02 16:24:48,429 [SCM polling for
hudson.model.FreeStyleProject@424e94d5[vgn-ext-templating]] DEBUG
org.apache.catalina.loader.WebappClassLoader-
loadClass(jenkins.model.lazy.AbstractLazyLoadRunMap$Direction, false)
----------end of snippet-----------------------------------------
Thanks,
-Shanti
