Hi Kalpa, Thanks for the update. Please update us with the solution for CSRF security issue. We get the same issue for the DSS try it as well.
[2016-06-08 11:55:28,396] WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118, method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, error:required token is missing from the request) Private proxy protocol will be attempted as cross-domain browser restrictions might be enforced for this endpoint. <TryitClient xmlns="http://tryit.carbon.wso2.org"> <Reason>Error connecting to the Tryit ajax proxy</Reason> </TryitClient> Regards, On Wed, Jun 8, 2016 at 8:45 AM, Kasun Bandara <kas...@wso2.com> wrote: > Hi All, > > We have done the fix for L1 reported in [1] yesterday. > > Thanks, > Kasun. > > [1] https://wso2.org/jira/browse/IDENTITY-4656 > > On Wed, Jun 8, 2016 at 7:00 AM, Kalpa Welivitigoda <kal...@wso2.com> > wrote: > >> Hi Anupama, >> >> On Tue, Jun 7, 2016 at 8:45 PM, Anupama Pathirage <anup...@wso2.com> >> wrote: >> >>> Hi Kalpa, >>> >>> Checked the suggested approaches and those two issues were resolved >>> after applying both changes. We will further test the service with the >>> Carbon RC2. >>> >>> On Tue, Jun 7, 2016 at 6:15 PM, Kalpa Welivitigoda <kal...@wso2.com> >>> wrote: >>> >>>> Hi Anupama, >>>> >>>> On Tue, Jun 7, 2016 at 5:50 PM, Anupama Pathirage <anup...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> We got the following issues when testing WSO2 DSS with the Kernel RC2 >>>>> Release. >>>>> >>>>> *1) *Any action on management console gives the following error. It >>>>> seems to be related with the tomcat upgrade and appreciate your input on >>>>> this. >>>>> >>>>> [2016-06-07 17:21:16,905] ERROR >>>>> {org.apache.coyote.AbstractProtocol$AbstractConnectionHandler} - Error >>>>> reading request, ignored >>>>> java.lang.NoSuchMethodError: org.apache.coyote.Request.getBytesRead()I >>>>> at >>>>> org.apache.coyote.RequestInfo.updateCounters(RequestInfo.java:143) >>>>> at org.apache.coyote.Request.updateCounters(Request.java:533) >>>>> at >>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1140) >>>>> at >>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>> at >>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>> >>>> Yes, it is due to the tomcat upgrade in kernel, relevant fixes for >>>> carbon-deployment are already there in 4.6.2-SNAPSHOT. We have to do a >>>> deployment release once we release 4.4.6-SNAPSHOT. For the moment, for >>>> testing purpose, is it possible you try with 4.6.2-SNAPSHOT? >>>> >>> >>> Could you please do the needful to release the carbon-deployment 4.6.2 >>> as DSS 3.5.1 release will be on hold until it is done. >>> >> >> Yes, we will be doing component released once we are done with kernel >> 4.4.6. >> >> >>> >>> >>>> >>>> >>>>> >>>>> *2) *DBS file uploads gives the following error which returns Error >>>>> 403 - Forbidden >>>>> >>>>> [2016-06-07 17:21:16,904] WARN {org.owasp.csrfguard.log.JavaLogger} >>>>> - potential cross-site request forgery (CSRF) attack thwarted >>>>> (user:<anonymous>, ip:10.100.7.118, method:POST, >>>>> uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, error:required >>>>> token is missing from the request) >>>>> >>>>> >>>> For this would you please try with adding the following line to >>>> repository/conf/security/Owasp.CsrfGuard.Carbon.properties, >>>> >>>> org.owasp.csrfguard.unprotected.FileUpload=%servletContext%/fileupload/* >>>> >>> >>> Is excluding these patterns from CSRF protection recommended ? >>> >>> >> That we need to discuss with security experts and decide, I just wanted >> to verify that this is an option to solve the issue. >> >> >>> Regards, >>> Anupama >>> >>>> >>>> >>>> >>>>> Regards, >>>>> >>>>> On Tue, Jun 7, 2016 at 4:46 PM, KasunG Gajasinghe <kas...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> Others, please continue to testing the pack and report all the issues >>>>>> so we can check and fix. >>>>>> >>>>>> On Tue, Jun 7, 2016 at 2:31 PM, Kasun Bandara <kas...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Niranjan, >>>>>>> >>>>>>> Created [1] to track the equivalent Carbon JIRA. >>>>>>> >>>>>>> [1] https://wso2.org/jira/browse/CARBON-15938 >>>>>>> >>>>>>> Thanks, >>>>>>> Kasun. >>>>>>> >>>>>>> On Tue, Jun 7, 2016 at 2:23 PM, Niranjan Karunanandham < >>>>>>> niran...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi KasunB, >>>>>>>> >>>>>>>> Please create an equivalent JIRA in Kernel in-order to track this. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Nira >>>>>>>> >>>>>>>> On Tue, Jun 7, 2016 at 2:11 PM, Kasun Bandara <kas...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> We are having L1 reported in [1] and will be a blocker for IS. >>>>>>>>> Please hold off the vote proceedings until we find out the root cause >>>>>>>>> of >>>>>>>>> the issue. Most probably this issue must be originated from user core. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Kasun. >>>>>>>>> >>>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4656 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Jun 7, 2016 at 11:45 AM, KasunG Gajasinghe < >>>>>>>>> kas...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Viraj, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Jun 7, 2016 at 10:12 AM, Viraj Senevirathne < >>>>>>>>>> vir...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Kalpa, >>>>>>>>>>> >>>>>>>>>>> I tried to build product-esb with kernel RC2 but it failed as >>>>>>>>>>> package org.apache.velocity 0.0.0 dependency could not be found. >>>>>>>>>>> >>>>>>>>>>> *Installation failed.* >>>>>>>>>>> *Cannot complete the install because one or more required items >>>>>>>>>>> could not be found.* >>>>>>>>>>> * Software being installed: WSO2 Carbon - Mediators Feature >>>>>>>>>>> 4.6.1.SNAPSHOT (org.wso2.carbon.mediators.feature.group >>>>>>>>>>> 4.6.1.SNAPSHOT)* >>>>>>>>>>> * Missing requirement: bsf-all 3.0.0.wso2v5 (bsf-all >>>>>>>>>>> 3.0.0.wso2v5) requires 'package org.apache.velocity 0.0.0' but it >>>>>>>>>>> could not >>>>>>>>>>> be found* >>>>>>>>>>> * Cannot satisfy dependency:* >>>>>>>>>>> * From: WSO2 Carbon - Mediators Feature 4.6.1.SNAPSHOT >>>>>>>>>>> (org.wso2.carbon.mediators.feature.group 4.6.1.SNAPSHOT)* >>>>>>>>>>> * To: org.wso2.carbon.mediators.server.feature.group >>>>>>>>>>> [4.6.1.SNAPSHOT]* >>>>>>>>>>> * Cannot satisfy dependency:* >>>>>>>>>>> * From: WSO2 Carbon - All Mediators Server Feature >>>>>>>>>>> 4.6.1.SNAPSHOT (org.wso2.carbon.mediators.server.feature.group >>>>>>>>>>> 4.6.1.SNAPSHOT)* >>>>>>>>>>> * To: bsf-all [3.0.0.wso2v5,3.1.0)* >>>>>>>>>>> *Application failed, log file location: >>>>>>>>>>> /home/virajrs/.m2/repository/org/eclipse/tycho/tycho-p2-runtime/0.13.0/eclipse/configuration/1465274241567.log* >>>>>>>>>>> >>>>>>>>>>> How can we overcome this? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> To fix security vulnerabilities, we have upgraded the opensaml >>>>>>>>>> orbit bundle to the latest. In that process, IS folks have fixed >>>>>>>>>> issues in >>>>>>>>>> the old opensaml orbit to conform to the new orbit guidelines. In >>>>>>>>>> that >>>>>>>>>> process, the org.apache.velocity packages were removed from >>>>>>>>>> opensaml. If >>>>>>>>>> you need opensaml, then you should include this feature [1]. >>>>>>>>>> >>>>>>>>>> You shouldn't be using velocity packages directly that is coming >>>>>>>>>> from opensaml. If you only need velocity, then your feature need to >>>>>>>>>> include >>>>>>>>>> velocity orbit. >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/master/features/org.wso2.carbon.identity.sso.saml.server.feature/pom.xml >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thank You, >>>>>>>>>>> >>>>>>>>>>> On Tue, Jun 7, 2016 at 8:32 AM, Kalpa Welivitigoda < >>>>>>>>>>> kal...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Devs, >>>>>>>>>>>> >>>>>>>>>>>> This is the 2nd release candidate of WSO2 Carbon Kernel 4.4.6. >>>>>>>>>>>> >>>>>>>>>>>> This release fixes the following issues: >>>>>>>>>>>> https://wso2.org/jira/issues/?filter=13090 >>>>>>>>>>>> >>>>>>>>>>>> Please download and test your products with kernel 4.4.6 RC1 >>>>>>>>>>>> and vote. Vote will be open for 72 hours or as longer as needed. >>>>>>>>>>>> >>>>>>>>>>>> Source and binary distribution files: >>>>>>>>>>>> >>>>>>>>>>>> http://svn.wso2.org/repos/wso2/people/kalpaw/wso2carbon-4.4.6/wso2carbon-4.4.6-rc2.zip >>>>>>>>>>>> >>>>>>>>>>>> Maven staging repository: >>>>>>>>>>>> >>>>>>>>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1023/ >>>>>>>>>>>> >>>>>>>>>>>> The tag to be voted upon: >>>>>>>>>>>> https://github.com/wso2/carbon-kernel/tree/v4.4.6-rc2 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [ ] Broken - do not release (explain why) >>>>>>>>>>>> [ ] Stable - go ahead and release >>>>>>>>>>>> >>>>>>>>>>>> Thank you >>>>>>>>>>>> Carbon Team >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Best Regards, >>>>>>>>>>>> >>>>>>>>>>>> Kalpa Welivitigoda >>>>>>>>>>>> Software Engineer, WSO2 Inc. http://wso2.com >>>>>>>>>>>> Email: kal...@wso2.com >>>>>>>>>>>> Mobile: +94776509215 >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Dev mailing list >>>>>>>>>>>> Dev@wso2.org >>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Viraj Senevirathne >>>>>>>>>>> Software Engineer; WSO2, Inc. >>>>>>>>>>> >>>>>>>>>>> Mobile : +94 71 958 0269 >>>>>>>>>>> Email : vir...@wso2.com >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Dev mailing list >>>>>>>>>>> Dev@wso2.org >>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>>>>>> email: kasung AT spamfree wso2.com >>>>>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>>>>>> blog: http://kasunbg.org >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Dev mailing list >>>>>>>>>> Dev@wso2.org >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Kasun Bandara >>>>>>>>> *Software Engineer* >>>>>>>>> Mobile : +94 (0) 718 338 360 >>>>>>>>> <%2B94%20%280%29%20773%20451194> >>>>>>>>> kas...@wso2.com <thili...@wso2.com> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>>>>>>> *Niranjan Karunanandham* >>>>>>>> Associate Technical Lead - WSO2 Inc. >>>>>>>> WSO2 Inc.: http://www.wso2.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Kasun Bandara >>>>>>> *Software Engineer* >>>>>>> Mobile : +94 (0) 718 338 360 >>>>>>> <%2B94%20%280%29%20773%20451194> >>>>>>> kas...@wso2.com <thili...@wso2.com> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>> email: kasung AT spamfree wso2.com >>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>> blog: http://kasunbg.org >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Anupama Pathirage >>>>> Associate Technical Lead >>>>> WSO2, Inc. http://wso2.com/ >>>>> Email: anup...@wso2.com >>>>> Mobile:+94 71 8273 979 >>>>> Blog:http://mycodeideas.blogspot.com/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Best Regards, >>>> >>>> Kalpa Welivitigoda >>>> Software Engineer, WSO2 Inc. http://wso2.com >>>> Email: kal...@wso2.com >>>> Mobile: +94776509215 >>>> >>> >>> >>> >>> -- >>> Anupama Pathirage >>> Associate Technical Lead >>> WSO2, Inc. http://wso2.com/ >>> Email: anup...@wso2.com >>> Mobile:+94 71 8273 979 >>> Blog:http://mycodeideas.blogspot.com/ >>> >>> >>> >> >> >> -- >> Best Regards, >> >> Kalpa Welivitigoda >> Software Engineer, WSO2 Inc. http://wso2.com >> Email: kal...@wso2.com >> Mobile: +94776509215 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Kasun Bandara > *Software Engineer* > Mobile : +94 (0) 718 338 360 > <%2B94%20%280%29%20773%20451194> > kas...@wso2.com <thili...@wso2.com> > -- Anupama Pathirage Associate Technical Lead WSO2, Inc. http://wso2.com/ Email: anup...@wso2.com Mobile:+94 71 8273 979 Blog:http://mycodeideas.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev