Hi Kalpa,
Thanks for the update. Please update us with the solution for CSRF
security issue. We get the same issue for the DSS try it as well.
[2016-06-08 11:55:28,396] WARN {org.owasp.csrfguard.log.JavaLogger} -
potential cross-site request forgery (CSRF) attack thwarted
(user:<anonymous>, ip:10.100.7.118, method:POST,
uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, error:required
token is missing from the request)
Private proxy protocol will be attempted as cross-domain browser
restrictions might be enforced for this endpoint.
<TryitClient xmlns="http://tryit.carbon.wso2.org";>
<Reason>Error connecting to the Tryit ajax proxy</Reason>
</TryitClient>
Regards,
On Wed, Jun 8, 2016 at 8:45 AM, Kasun Bandara <kas...@wso2.com> wrote:
> Hi All,
>
> We have done the fix for L1 reported in [1] yesterday.
>
> Thanks,
> Kasun.
>
> [1] https://wso2.org/jira/browse/IDENTITY-4656
>
> On Wed, Jun 8, 2016 at 7:00 AM, Kalpa Welivitigoda <kal...@wso2.com>
> wrote:
>
>> Hi Anupama,
>>
>> On Tue, Jun 7, 2016 at 8:45 PM, Anupama Pathirage <anup...@wso2.com>
>> wrote:
>>
>>> Hi Kalpa,
>>>
>>> Checked the suggested approaches and those two issues were resolved
>>> after applying both changes. We will further test the service with the
>>> Carbon RC2.
>>>
>>> On Tue, Jun 7, 2016 at 6:15 PM, Kalpa Welivitigoda <kal...@wso2.com>
>>> wrote:
>>>
>>>> Hi Anupama,
>>>>
>>>> On Tue, Jun 7, 2016 at 5:50 PM, Anupama Pathirage <anup...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We got the following issues when testing WSO2 DSS with the Kernel RC2
>>>>> Release.
>>>>>
>>>>> *1) *Any action on management console gives the following error. It
>>>>> seems to be related with the tomcat upgrade and appreciate your input on
>>>>> this.
>>>>>
>>>>> [2016-06-07 17:21:16,905] ERROR
>>>>> {org.apache.coyote.AbstractProtocol$AbstractConnectionHandler} - Error
>>>>> reading request, ignored
>>>>> java.lang.NoSuchMethodError: org.apache.coyote.Request.getBytesRead()I
>>>>> at
>>>>> org.apache.coyote.RequestInfo.updateCounters(RequestInfo.java:143)
>>>>> at org.apache.coyote.Request.updateCounters(Request.java:533)
>>>>> at
>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1140)
>>>>> at
>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749)
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>> at
>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>
>>>>
>>>> Yes, it is due to the tomcat upgrade in kernel, relevant fixes for
>>>> carbon-deployment are already there in 4.6.2-SNAPSHOT. We have to do a
>>>> deployment release once we release 4.4.6-SNAPSHOT. For the moment, for
>>>> testing purpose, is it possible you try with 4.6.2-SNAPSHOT?
>>>>
>>>
>>> Could you please do the needful to release the carbon-deployment 4.6.2
>>> as DSS 3.5.1 release will be on hold until it is done.
>>>
>>
>> Yes, we will be doing component released once we are done with kernel
>> 4.4.6.
>>
>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> *2) *DBS file uploads gives the following error which returns Error
>>>>> 403 - Forbidden
>>>>>
>>>>> [2016-06-07 17:21:16,904] WARN {org.owasp.csrfguard.log.JavaLogger}
>>>>> - potential cross-site request forgery (CSRF) attack thwarted
>>>>> (user:<anonymous>, ip:10.100.7.118, method:POST,
>>>>> uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, error:required
>>>>> token is missing from the request)
>>>>>
>>>>>
>>>> For this would you please try with adding the following line to
>>>> repository/conf/security/Owasp.CsrfGuard.Carbon.properties,
>>>>
>>>> org.owasp.csrfguard.unprotected.FileUpload=%servletContext%/fileupload/*
>>>>
>>>
>>> Is excluding these patterns from CSRF protection recommended ?
>>>
>>>
>> That we need to discuss with security experts and decide, I just wanted
>> to verify that this is an option to solve the issue.
>>
>>
>>> Regards,
>>> Anupama
>>>
>>>>
>>>>
>>>>
>>>>> Regards,
>>>>>
>>>>> On Tue, Jun 7, 2016 at 4:46 PM, KasunG Gajasinghe <kas...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Others, please continue to testing the pack and report all the issues
>>>>>> so we can check and fix.
>>>>>>
>>>>>> On Tue, Jun 7, 2016 at 2:31 PM, Kasun Bandara <kas...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Niranjan,
>>>>>>>
>>>>>>> Created [1] to track the equivalent Carbon JIRA.
>>>>>>>
>>>>>>> [1] https://wso2.org/jira/browse/CARBON-15938
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Kasun.
>>>>>>>
>>>>>>> On Tue, Jun 7, 2016 at 2:23 PM, Niranjan Karunanandham <
>>>>>>> niran...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi KasunB,
>>>>>>>>
>>>>>>>> Please create an equivalent JIRA in Kernel in-order to track this.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Nira
>>>>>>>>
>>>>>>>> On Tue, Jun 7, 2016 at 2:11 PM, Kasun Bandara <kas...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> We are having L1 reported in [1] and will be a blocker for IS.
>>>>>>>>> Please hold off the vote proceedings until we find out the root cause
>>>>>>>>> of
>>>>>>>>> the issue. Most probably this issue must be originated from user core.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Kasun.
>>>>>>>>>
>>>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4656
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jun 7, 2016 at 11:45 AM, KasunG Gajasinghe <
>>>>>>>>> kas...@wso2.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Viraj,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Jun 7, 2016 at 10:12 AM, Viraj Senevirathne <
>>>>>>>>>> vir...@wso2.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Kalpa,
>>>>>>>>>>>
>>>>>>>>>>> I tried to build product-esb with kernel RC2 but it failed as
>>>>>>>>>>> package org.apache.velocity 0.0.0 dependency could not be found.
>>>>>>>>>>>
>>>>>>>>>>> *Installation failed.*
>>>>>>>>>>> *Cannot complete the install because one or more required items
>>>>>>>>>>> could not be found.*
>>>>>>>>>>> * Software being installed: WSO2 Carbon - Mediators Feature
>>>>>>>>>>> 4.6.1.SNAPSHOT (org.wso2.carbon.mediators.feature.group
>>>>>>>>>>> 4.6.1.SNAPSHOT)*
>>>>>>>>>>> * Missing requirement: bsf-all 3.0.0.wso2v5 (bsf-all
>>>>>>>>>>> 3.0.0.wso2v5) requires 'package org.apache.velocity 0.0.0' but it
>>>>>>>>>>> could not
>>>>>>>>>>> be found*
>>>>>>>>>>> * Cannot satisfy dependency:*
>>>>>>>>>>> * From: WSO2 Carbon - Mediators Feature 4.6.1.SNAPSHOT
>>>>>>>>>>> (org.wso2.carbon.mediators.feature.group 4.6.1.SNAPSHOT)*
>>>>>>>>>>> * To: org.wso2.carbon.mediators.server.feature.group
>>>>>>>>>>> [4.6.1.SNAPSHOT]*
>>>>>>>>>>> * Cannot satisfy dependency:*
>>>>>>>>>>> * From: WSO2 Carbon - All Mediators Server Feature
>>>>>>>>>>> 4.6.1.SNAPSHOT (org.wso2.carbon.mediators.server.feature.group
>>>>>>>>>>> 4.6.1.SNAPSHOT)*
>>>>>>>>>>> * To: bsf-all [3.0.0.wso2v5,3.1.0)*
>>>>>>>>>>> *Application failed, log file location:
>>>>>>>>>>> /home/virajrs/.m2/repository/org/eclipse/tycho/tycho-p2-runtime/0.13.0/eclipse/configuration/1465274241567.log*
>>>>>>>>>>>
>>>>>>>>>>> How can we overcome this?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> To fix security vulnerabilities, we have upgraded the opensaml
>>>>>>>>>> orbit bundle to the latest. In that process, IS folks have fixed
>>>>>>>>>> issues in
>>>>>>>>>> the old opensaml orbit to conform to the new orbit guidelines. In
>>>>>>>>>> that
>>>>>>>>>> process, the org.apache.velocity packages were removed from
>>>>>>>>>> opensaml. If
>>>>>>>>>> you need opensaml, then you should include this feature [1].
>>>>>>>>>>
>>>>>>>>>> You shouldn't be using velocity packages directly that is coming
>>>>>>>>>> from opensaml. If you only need velocity, then your feature need to
>>>>>>>>>> include
>>>>>>>>>> velocity orbit.
>>>>>>>>>>
>>>>>>>>>> [1]
>>>>>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/master/features/org.wso2.carbon.identity.sso.saml.server.feature/pom.xml
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Thank You,
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jun 7, 2016 at 8:32 AM, Kalpa Welivitigoda <
>>>>>>>>>>> kal...@wso2.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Devs,
>>>>>>>>>>>>
>>>>>>>>>>>> This is the 2nd release candidate of WSO2 Carbon Kernel 4.4.6.
>>>>>>>>>>>>
>>>>>>>>>>>> This release fixes the following issues:
>>>>>>>>>>>> https://wso2.org/jira/issues/?filter=13090
>>>>>>>>>>>>
>>>>>>>>>>>> Please download and test your products with kernel 4.4.6 RC1
>>>>>>>>>>>> and vote. Vote will be open for 72 hours or as longer as needed.
>>>>>>>>>>>>
>>>>>>>>>>>> Source and binary distribution files:
>>>>>>>>>>>>
>>>>>>>>>>>> http://svn.wso2.org/repos/wso2/people/kalpaw/wso2carbon-4.4.6/wso2carbon-4.4.6-rc2.zip
>>>>>>>>>>>>
>>>>>>>>>>>> Maven staging repository:
>>>>>>>>>>>>
>>>>>>>>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1023/
>>>>>>>>>>>>
>>>>>>>>>>>> The tag to be voted upon:
>>>>>>>>>>>> https://github.com/wso2/carbon-kernel/tree/v4.4.6-rc2
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [ ] Broken - do not release (explain why)
>>>>>>>>>>>> [ ] Stable - go ahead and release
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you
>>>>>>>>>>>> Carbon Team
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> Kalpa Welivitigoda
>>>>>>>>>>>> Software Engineer, WSO2 Inc. http://wso2.com
>>>>>>>>>>>> Email: kal...@wso2.com
>>>>>>>>>>>> Mobile: +94776509215
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Dev mailing list
>>>>>>>>>>>> Dev@wso2.org
>>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Viraj Senevirathne
>>>>>>>>>>> Software Engineer; WSO2, Inc.
>>>>>>>>>>>
>>>>>>>>>>> Mobile : +94 71 958 0269
>>>>>>>>>>> Email : vir...@wso2.com
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Dev mailing list
>>>>>>>>>>> Dev@wso2.org
>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>>>>>>>>> email: kasung AT spamfree wso2.com
>>>>>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>>>>>>>> blog: http://kasunbg.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Dev mailing list
>>>>>>>>>> Dev@wso2.org
>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Kasun Bandara
>>>>>>>>> *Software Engineer*
>>>>>>>>> Mobile : +94 (0) 718 338 360
>>>>>>>>> <%2B94%20%280%29%20773%20451194>
>>>>>>>>> kas...@wso2.com <thili...@wso2.com>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Dev mailing list
>>>>>>>>> Dev@wso2.org
>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>> *Niranjan Karunanandham*
>>>>>>>> Associate Technical Lead - WSO2 Inc.
>>>>>>>> WSO2 Inc.: http://www.wso2.com
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Kasun Bandara
>>>>>>> *Software Engineer*
>>>>>>> Mobile : +94 (0) 718 338 360
>>>>>>> <%2B94%20%280%29%20773%20451194>
>>>>>>> kas...@wso2.com <thili...@wso2.com>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Dev mailing list
>>>>>>> Dev@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>>>>> email: kasung AT spamfree wso2.com
>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>>>> blog: http://kasunbg.org
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Anupama Pathirage
>>>>> Associate Technical Lead
>>>>> WSO2, Inc. http://wso2.com/
>>>>> Email: anup...@wso2.com
>>>>> Mobile:+94 71 8273 979
>>>>> Blog:http://mycodeideas.blogspot.com/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards,
>>>>
>>>> Kalpa Welivitigoda
>>>> Software Engineer, WSO2 Inc. http://wso2.com
>>>> Email: kal...@wso2.com
>>>> Mobile: +94776509215
>>>>
>>>
>>>
>>>
>>> --
>>> Anupama Pathirage
>>> Associate Technical Lead
>>> WSO2, Inc. http://wso2.com/
>>> Email: anup...@wso2.com
>>> Mobile:+94 71 8273 979
>>> Blog:http://mycodeideas.blogspot.com/
>>>
>>>
>>>
>>
>>
>> --
>> Best Regards,
>>
>> Kalpa Welivitigoda
>> Software Engineer, WSO2 Inc. http://wso2.com
>> Email: kal...@wso2.com
>> Mobile: +94776509215
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Kasun Bandara
> *Software Engineer*
> Mobile : +94 (0) 718 338 360
> <%2B94%20%280%29%20773%20451194>
> kas...@wso2.com <thili...@wso2.com>
>
--
Anupama Pathirage
Associate Technical Lead
WSO2, Inc. http://wso2.com/
Email: anup...@wso2.com
Mobile:+94 71 8273 979
Blog:http://mycodeideas.blogspot.com/
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
