On Tue, Sep 2, 2014 at 4:41 PM, Shanti Suresh <sha...@umich.edu> wrote:
> Hi Dan,
>
>
> On Tue, Sep 2, 2014 at 12:19 PM, Daniel Mikusa <dmik...@pivotal.io> wrote:
>
> >
> >
> > I tried adding this to my manager app and it was triggering a 403. A
> quick
> > investigation showed the 403 was coming from the CRF filter (i.e. 403
> with
> > direct access, success with nonce in the URL). Maybe you're seeing the
> > same thing?
> >
> > Hi Daniel,
>
> Did you succeed when you used curl on the localhost running the Tomcat
> service?
I didn't try curl. I believe it should work, assuming you send the right
nonce.
> So in order to get a nonce in the URL, did you first log in?
Yes, but that was just because it was the quickest way to get a nonce to
test. I just copied and pasted it.
Another way to get the nonce would be to create a page like "links.jsp".
On that page, you could just output the links.
Ex:
<%= response.encodeURL("heapused.jsp") %>
As long as you're using "response.encodeURL", the nonce will be
automatically added to the link. The only other thing you need to do is to
add "/links.jsp" (or whatever URL you expose) to the "entryPoints"
parameter of the CsrfPreventionFilter in web.xml (for the manager app).
You could then modify your script to hit the link and grab the list of
URLs with nonce included.
I suppose you could also just list your custom JSP pages as entryPoints,
however that's going to bypass the CsrfProtectionFilter for them. Please
note the caution provided in the entry points documentation "Entry points
will be limited to HTTP GET requests and should not trigger any security
sensitive actions."
Also, if you don't care you could just remove the CsrfProtectionFilter, but
it's not something I would recommend.
Dan
If
> you can list the steps you followed, then I'd appreciate it.
>
> Running Tomcat in DEBUG mode, although it says the following, I still get a
> 403.
>
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- No applicable constraint located
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.authenticator.AuthenticatorBase- Not subject to any
> constraint
> :
>
> Below is the DEBUG snippet for the request:
>
> ----------------- Tomcat Debug log snippet:------------
> 2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
> org.apache.catalina.connector.CoyoteAdapter- The variable [uriBC] has value
> [/manager/heapused.jsp]
> 2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
> org.apache.catalina.connector.CoyoteAdapter- The variable [semicolon] has
> value [-1]
> 2014-09-02 16:24:48,418 [catalina-exec-3] DEBUG
> org.apache.catalina.connector.CoyoteAdapter- The variable [enc] has value
> [UTF-8]2014-09-02 16:24:48,419 [catalina-exec-3] DEBUG
> org.apache.catalina.authenticator.AuthenticatorBase- Security checking
> request GET /manager/heapused.jsp
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[HTML Manager interface (for humans)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Text Manager interface (for scripts)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[HTML Manager interface (for humans)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Text Manager interface (for scripts)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Status interface]' against GET /heapused.jsp -->
> false2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[HTML Manager interface (for humans)]' against GET
> /heapused.jsp
> --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Text Manager interface (for scripts)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Status interface]' against GET /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[HTML Manager interface (for humans)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[JMX Proxy interface]' against GET /heapused.jsp -->
> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- Checking constraint
> 'SecurityConstraint[Text Manager interface (for scripts)]' against GET
> /heapused.jsp --> false
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.realm.RealmBase- No applicable constraint located
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.catalina.authenticator.AuthenticatorBase- Not subject to any
> constraint
> 2014-09-02 16:24:48,420 [catalina-exec-3] DEBUG
> org.apache.tomcat.util.http.Parameters- Set encoding to UTF-8
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- JspEngine --> /WEB-INF/jsp/403.jsp
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- ServletPath:
> /WEB-INF/jsp/403.jsp
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- PathInfo: null
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- RealPath:
> /opt/tomcat/mgmt/apache/webapps/manager/WEB-INF/jsp/403.jsp
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- RequestURI:
> /manager/WEB-INF/jsp/403.jsp
> 2014-09-02 16:24:48,425 [catalina-exec-3] DEBUG
> org.apache.jasper.servlet.JspServlet- QueryString: null
> 2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
> org.apache.catalina.loader.WebappClassLoader-
> loadClass(hudson.util.SequentialExecutionQueue$QueueEntry, false)
> 2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
> org.apache.catalina.loader.WebappClassLoader- Searching local
> repositories
> 2014-09-02 16:24:48,427 [Jenkins cron thread] DEBUG
> org.apache.catalina.loader.WebappClassLoader-
> findClass(hudson.util.SequentialExecutionQueue$QueueEntry)
> 2014-09-02 16:24:48,428 [Jenkins cron thread] DEBUG
> org.apache.catalina.loader.WebappClassLoader- Loading class from local
> repository
> 2014-09-02 16:24:48,429 [SCM polling for
> hudson.model.FreeStyleProject@424e94d5[vgn-ext-templating]] DEBUG
> org.apache.catalina.loader.WebappClassLoader-
> loadClass(jenkins.model.lazy.AbstractLazyLoadRunMap$Direction, false)
> ----------end of snippet-----------------------------------------
>
>
> Thanks,
> -Shanti
>
