Hi Anupama,
On Tue, Jun 7, 2016 at 8:45 PM, Anupama Pathirage <anup...@wso2.com> wrote:
> Hi Kalpa,
>
> Checked the suggested approaches and those two issues were resolved after
> applying both changes. We will further test the service with the Carbon RC2.
>
> On Tue, Jun 7, 2016 at 6:15 PM, Kalpa Welivitigoda <kal...@wso2.com>
> wrote:
>
>> Hi Anupama,
>>
>> On Tue, Jun 7, 2016 at 5:50 PM, Anupama Pathirage <anup...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> We got the following issues when testing WSO2 DSS with the Kernel RC2
>>> Release.
>>>
>>> *1) *Any action on management console gives the following error. It
>>> seems to be related with the tomcat upgrade and appreciate your input on
>>> this.
>>>
>>> [2016-06-07 17:21:16,905] ERROR
>>> {org.apache.coyote.AbstractProtocol$AbstractConnectionHandler} - Error
>>> reading request, ignored
>>> java.lang.NoSuchMethodError: org.apache.coyote.Request.getBytesRead()I
>>> at org.apache.coyote.RequestInfo.updateCounters(RequestInfo.java:143)
>>> at org.apache.coyote.Request.updateCounters(Request.java:533)
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1140)
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749)
>>> at
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> at
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>
>> Yes, it is due to the tomcat upgrade in kernel, relevant fixes for
>> carbon-deployment are already there in 4.6.2-SNAPSHOT. We have to do a
>> deployment release once we release 4.4.6-SNAPSHOT. For the moment, for
>> testing purpose, is it possible you try with 4.6.2-SNAPSHOT?
>>
>
> Could you please do the needful to release the carbon-deployment 4.6.2 as
> DSS 3.5.1 release will be on hold until it is done.
>
Yes, we will be doing component released once we are done with kernel 4.4.6.
>
>
>>
>>
>>>
>>> *2) *DBS file uploads gives the following error which returns Error 403
>>> - Forbidden
>>>
>>> [2016-06-07 17:21:16,904] WARN {org.owasp.csrfguard.log.JavaLogger} -
>>> potential cross-site request forgery (CSRF) attack thwarted
>>> (user:<anonymous>, ip:10.100.7.118, method:POST,
>>> uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, error:required
>>> token is missing from the request)
>>>
>>>
>> For this would you please try with adding the following line to
>> repository/conf/security/Owasp.CsrfGuard.Carbon.properties,
>>
>> org.owasp.csrfguard.unprotected.FileUpload=%servletContext%/fileupload/*
>>
>
> Is excluding these patterns from CSRF protection recommended ?
>
>
That we need to discuss with security experts and decide, I just wanted to
verify that this is an option to solve the issue.
> Regards,
> Anupama
>
>>
>>
>>
>>> Regards,
>>>
>>> On Tue, Jun 7, 2016 at 4:46 PM, KasunG Gajasinghe <kas...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> Others, please continue to testing the pack and report all the issues
>>>> so we can check and fix.
>>>>
>>>> On Tue, Jun 7, 2016 at 2:31 PM, Kasun Bandara <kas...@wso2.com> wrote:
>>>>
>>>>> Hi Niranjan,
>>>>>
>>>>> Created [1] to track the equivalent Carbon JIRA.
>>>>>
>>>>> [1] https://wso2.org/jira/browse/CARBON-15938
>>>>>
>>>>> Thanks,
>>>>> Kasun.
>>>>>
>>>>> On Tue, Jun 7, 2016 at 2:23 PM, Niranjan Karunanandham <
>>>>> niran...@wso2.com> wrote:
>>>>>
>>>>>> Hi KasunB,
>>>>>>
>>>>>> Please create an equivalent JIRA in Kernel in-order to track this.
>>>>>>
>>>>>> Regards,
>>>>>> Nira
>>>>>>
>>>>>> On Tue, Jun 7, 2016 at 2:11 PM, Kasun Bandara <kas...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> We are having L1 reported in [1] and will be a blocker for IS.
>>>>>>> Please hold off the vote proceedings until we find out the root cause of
>>>>>>> the issue. Most probably this issue must be originated from user core.
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Kasun.
>>>>>>>
>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4656
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 7, 2016 at 11:45 AM, KasunG Gajasinghe <kas...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Viraj,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jun 7, 2016 at 10:12 AM, Viraj Senevirathne <
>>>>>>>> vir...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Kalpa,
>>>>>>>>>
>>>>>>>>> I tried to build product-esb with kernel RC2 but it failed as
>>>>>>>>> package org.apache.velocity 0.0.0 dependency could not be found.
>>>>>>>>>
>>>>>>>>> *Installation failed.*
>>>>>>>>> *Cannot complete the install because one or more required items
>>>>>>>>> could not be found.*
>>>>>>>>> * Software being installed: WSO2 Carbon - Mediators Feature
>>>>>>>>> 4.6.1.SNAPSHOT (org.wso2.carbon.mediators.feature.group
>>>>>>>>> 4.6.1.SNAPSHOT)*
>>>>>>>>> * Missing requirement: bsf-all 3.0.0.wso2v5 (bsf-all 3.0.0.wso2v5)
>>>>>>>>> requires 'package org.apache.velocity 0.0.0' but it could not be
>>>>>>>>> found*
>>>>>>>>> * Cannot satisfy dependency:*
>>>>>>>>> * From: WSO2 Carbon - Mediators Feature 4.6.1.SNAPSHOT
>>>>>>>>> (org.wso2.carbon.mediators.feature.group 4.6.1.SNAPSHOT)*
>>>>>>>>> * To: org.wso2.carbon.mediators.server.feature.group
>>>>>>>>> [4.6.1.SNAPSHOT]*
>>>>>>>>> * Cannot satisfy dependency:*
>>>>>>>>> * From: WSO2 Carbon - All Mediators Server Feature 4.6.1.SNAPSHOT
>>>>>>>>> (org.wso2.carbon.mediators.server.feature.group 4.6.1.SNAPSHOT)*
>>>>>>>>> * To: bsf-all [3.0.0.wso2v5,3.1.0)*
>>>>>>>>> *Application failed, log file location:
>>>>>>>>> /home/virajrs/.m2/repository/org/eclipse/tycho/tycho-p2-runtime/0.13.0/eclipse/configuration/1465274241567.log*
>>>>>>>>>
>>>>>>>>> How can we overcome this?
>>>>>>>>>
>>>>>>>>
>>>>>>>> To fix security vulnerabilities, we have upgraded the opensaml
>>>>>>>> orbit bundle to the latest. In that process, IS folks have fixed
>>>>>>>> issues in
>>>>>>>> the old opensaml orbit to conform to the new orbit guidelines. In that
>>>>>>>> process, the org.apache.velocity packages were removed from opensaml.
>>>>>>>> If
>>>>>>>> you need opensaml, then you should include this feature [1].
>>>>>>>>
>>>>>>>> You shouldn't be using velocity packages directly that is coming
>>>>>>>> from opensaml. If you only need velocity, then your feature need to
>>>>>>>> include
>>>>>>>> velocity orbit.
>>>>>>>>
>>>>>>>> [1]
>>>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/master/features/org.wso2.carbon.identity.sso.saml.server.feature/pom.xml
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thank You,
>>>>>>>>>
>>>>>>>>> On Tue, Jun 7, 2016 at 8:32 AM, Kalpa Welivitigoda <
>>>>>>>>> kal...@wso2.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Devs,
>>>>>>>>>>
>>>>>>>>>> This is the 2nd release candidate of WSO2 Carbon Kernel 4.4.6.
>>>>>>>>>>
>>>>>>>>>> This release fixes the following issues:
>>>>>>>>>> https://wso2.org/jira/issues/?filter=13090
>>>>>>>>>>
>>>>>>>>>> Please download and test your products with kernel 4.4.6 RC1 and
>>>>>>>>>> vote. Vote will be open for 72 hours or as longer as needed.
>>>>>>>>>>
>>>>>>>>>> Source and binary distribution files:
>>>>>>>>>>
>>>>>>>>>> http://svn.wso2.org/repos/wso2/people/kalpaw/wso2carbon-4.4.6/wso2carbon-4.4.6-rc2.zip
>>>>>>>>>>
>>>>>>>>>> Maven staging repository:
>>>>>>>>>>
>>>>>>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1023/
>>>>>>>>>>
>>>>>>>>>> The tag to be voted upon:
>>>>>>>>>> https://github.com/wso2/carbon-kernel/tree/v4.4.6-rc2
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [ ] Broken - do not release (explain why)
>>>>>>>>>> [ ] Stable - go ahead and release
>>>>>>>>>>
>>>>>>>>>> Thank you
>>>>>>>>>> Carbon Team
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Best Regards,
>>>>>>>>>>
>>>>>>>>>> Kalpa Welivitigoda
>>>>>>>>>> Software Engineer, WSO2 Inc. http://wso2.com
>>>>>>>>>> Email: kal...@wso2.com
>>>>>>>>>> Mobile: +94776509215
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Dev mailing list
>>>>>>>>>> Dev@wso2.org
>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Viraj Senevirathne
>>>>>>>>> Software Engineer; WSO2, Inc.
>>>>>>>>>
>>>>>>>>> Mobile : +94 71 958 0269
>>>>>>>>> Email : vir...@wso2.com
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Dev mailing list
>>>>>>>>> Dev@wso2.org
>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>>>>>>> email: kasung AT spamfree wso2.com
>>>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>>>>>> blog: http://kasunbg.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Dev mailing list
>>>>>>>> Dev@wso2.org
>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Kasun Bandara
>>>>>>> *Software Engineer*
>>>>>>> Mobile : +94 (0) 718 338 360
>>>>>>> <%2B94%20%280%29%20773%20451194>
>>>>>>> kas...@wso2.com <thili...@wso2.com>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Dev mailing list
>>>>>>> Dev@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>> *Niranjan Karunanandham*
>>>>>> Associate Technical Lead - WSO2 Inc.
>>>>>> WSO2 Inc.: http://www.wso2.com
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Kasun Bandara
>>>>> *Software Engineer*
>>>>> Mobile : +94 (0) 718 338 360
>>>>> <%2B94%20%280%29%20773%20451194>
>>>>> kas...@wso2.com <thili...@wso2.com>
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>>> email: kasung AT spamfree wso2.com
>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>> blog: http://kasunbg.org
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Anupama Pathirage
>>> Associate Technical Lead
>>> WSO2, Inc. http://wso2.com/
>>> Email: anup...@wso2.com
>>> Mobile:+94 71 8273 979
>>> Blog:http://mycodeideas.blogspot.com/
>>>
>>>
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Best Regards,
>>
>> Kalpa Welivitigoda
>> Software Engineer, WSO2 Inc. http://wso2.com
>> Email: kal...@wso2.com
>> Mobile: +94776509215
>>
>
>
>
> --
> Anupama Pathirage
> Associate Technical Lead
> WSO2, Inc. http://wso2.com/
> Email: anup...@wso2.com
> Mobile:+94 71 8273 979
> Blog:http://mycodeideas.blogspot.com/
>
>
>
--
Best Regards,
Kalpa Welivitigoda
Software Engineer, WSO2 Inc. http://wso2.com
Email: kal...@wso2.com
Mobile: +94776509215
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
