Hi Ayoma, I found this same error after restarting the server. Please find the steps to reproduce the issue.
1. Start the server, 2. Go to Management console and do loging and then logout. 3. Don't close the browser window. 4. Restart the server. 5. Open the management console login page in new browser window. 6. then try to login to the management console by using previous browser window. Thanks, Madhawa On Mon, Jul 11, 2016 at 2:38 PM, Rajith Roshan <raji...@wso2.com> wrote: > Hi, > The file upload works fine, this happens only when session expires. This > is only two scenarios I have mentioned above. There can be other scenarios > as well this might happen due to session timeout. > > Thanks! > Rajith > > On Mon, Jul 11, 2016 at 1:14 PM, Ayoma Wijethunga <ay...@wso2.com> wrote: > >> Hi Rajith, >> >> "org.owasp.csrfguard.ValidateWhenNoSessionExists" is only relevant to >> session timeout scenario Hasintha mentioned. >> >> Regarding "/fileupload/resource", please have a look at "Integration >> Checklist", last item from [1]. >> >> Let's have a look at "/carbon/generic" URL separately and see what is >> wrong. >> >> [1] >> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >> >> Best Regards, >> Ayoma. >> >> On Sat, Jul 9, 2016 at 3:05 PM, Rajith Roshan <raji...@wso2.com> wrote: >> >>> Hi Ayoma, >>> >>> We are facing this issue when uploading registry resource and uploading >>> rxts when session gets expired. We have changed the " >>> org.owasp.csrfguard.ValidateWhenNoSessionExists" property to false. But >>> it still gives the following error messages [1],[2]. After reloading the >>> page then issue does not happens. >>> >>> [1] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >>> method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp, >>> error:request token does not match session token) >>> [2] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, >>> method:POST, uri:/fileupload/resource, error:request token does not match >>> session token) >>> >>> >>> On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga <ay...@wso2.com> wrote: >>> >>>> Hi Team, >>>> >>>> We identified that disabling "ValidateWhenNoSessionExists" property >>>> similar to following can resolve original session-timeout issue raised by >>>> Hasintha. >>>> >>>> org.owasp.csrfguard.ValidateWhenNoSessionExists = false >>>> >>>> >>>> Please add below lines in product "distribution" pom file to correct >>>> this behavior. This was further updated in [1] and [2] (Integration >>>> Checklist). >>>> >>>> <!-- Update Owasp.CsrfGuard.properties file >>>>>> with ValidateWhenNoSessionExists to disable validation on requests made >>>>>> with no valid session --> >>>>> >>>>> <replace >>>>>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties" >>>>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true" >>>>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/> >>>>> >>>>> >>>> [1] >>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit >>>> [2] >>>> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit# >>>> >>>> Thank you, >>>> Ayoma. >>>> >>>> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <dula...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <ay...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Original issue reported by Hasintha is relevant to how we handle >>>>>> session timeout conditions with CSRFGuard filter. We are working on this >>>>>> and will update with a resolution. >>>>>> >>>>> >>>>> The reason for this behavior is there's no session-existence check >>>>> prior to the form POST. Before CSRFGuard this was not a problem, because, >>>>> upon a failure due to session timeout one of the following would have >>>>> happened: >>>>> >>>>> 1. in the case of an ajaxprocessor - Request would be propagated >>>>> to the respective admin service, and upon its session non-existence >>>>> exception, will be redirected to the login page. >>>>> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext >>>>> will redirect to the login page before hitting the actual jsp/servlet. >>>>> >>>>> Since CSRFGuard is a filter, it intercepts before either of the above >>>>> happen and sends a 403 forbidden - because that's what it's supposed to >>>>> do. >>>>> >>>>> There's a platform level javascript function called >>>>> sessionAwareFunction (in main.js) that can be used for this. Registry >>>>> Browser uses that. We have to send the actual operation we want to do as a >>>>> callback function to sessionAwareFunction. It will initially do a session >>>>> validity check via /carbon/admin/jsp/session-validate.jsp and then execute >>>>> what we want to do. >>>>> >>>>> We tried to come up with a centralized solution for this, but failed. >>>>> Therefore, this need to be fixed at product-level. >>>>> >>>>> Please let us know if you see a better solution for this. >>>>> >>>>> >>>>>> In general CSRFGuard should work without any per-page modifications, >>>>>> since we are using JavaScript based attribute injection and header based >>>>>> protection for AJAX requests. However, there might be special cases in >>>>>> which these methodologies fail. Such incidences should be handled >>>>>> case-by-case and we will be adding all the special cases we identified in >>>>>> to the "Integration Checklist" of [1]. >>>>>> >>>>>> We had a short offline session with Shavantha on the issue he is >>>>>> facing and identified that there are methods that use " >>>>>> *document.createElement('form')*" JavaScript call to build forms >>>>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such >>>>>> forms, it is necessary to add CSRF token manually. Please see the >>>>>> screenshot attached which is the page source of [2]. In such situations >>>>>> it >>>>>> is required to use JSP Taglib to add CSRF token as an additional >>>>>> parameter. >>>>>> Please follow [1] for additional details. >>>>>> >>>>>> We can of cause arrange quick sessions with teams to check on any >>>>>> edge-case issues they are facing, relevant to CSRFGuard. >>>>>> >>>>>> [1] >>>>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>>>>> [2] >>>>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>>>>> >>>>>> Best Regards, >>>>>> Ayoma. >>>>>> >>>>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>>>>> shavan...@wso2.com> wrote: >>>>>> >>>>>>> [+Dulanjan] >>>>>>> >>>>>>> Hi All >>>>>>> >>>>>>> When trying to add multiple roles to a user using a feature such as >>>>>>> *Select >>>>>>> all from page 1 to page 3* or clicking on a pagination number the >>>>>>> same error comes and throws an error similar to[1] >>>>>>> >>>>>>> [1] >>>>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>>>>> error:required token is missing from the request) >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Shavantha Weerasinghe >>>>>>> Senior Software Engineer QA >>>>>>> WSO2, Inc. >>>>>>> lean.enterprise.middleware. >>>>>>> http://wso2.com >>>>>>> http://wso2.org >>>>>>> Tel : 94 11 214 5345 >>>>>>> Fax :94 11 2145300 >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <hasin...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> When trying to perform operations through admin console, once the >>>>>>>> session is expired we are getting a 403 from admin console. Seems like >>>>>>>> this >>>>>>>> occurs due to CSRF filter blocking the request since the session is no >>>>>>>> longer available at the server side. >>>>>>>> >>>>>>>> [2016-07-06 15:34:27,576] WARN >>>>>>>> {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request >>>>>>>> forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>>>>> method:POST, uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, >>>>>>>> error:request token does not match session token) >>>>>>>> -- >>>>>>>> Hasintha Indrajee >>>>>>>> WSO2, Inc. >>>>>>>> Mobile:+94 771892453 >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> Dev@wso2.org >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ayoma Wijethunga >>>>>> Software Engineer >>>>>> Platform Security Team >>>>>> WSO2, Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>>> Blog : http://www.ayomaonline.com >>>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Dulanja Liyanage >>>>> Lead, Platform Security Team >>>>> WSO2 Inc. >>>>> >>>> >>>> >>>> >>>> -- >>>> Ayoma Wijethunga >>>> Software Engineer >>>> Platform Security Team >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>> Blog : http://www.ayomaonline.com >>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Rajith Roshan >>> Software Engineer, WSO2 Inc. >>> Mobile: +94-72-642-8350 <%2B94-71-554-8430> >>> >> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> > > > > -- > Rajith Roshan > Software Engineer, WSO2 Inc. > Mobile: +94-72-642-8350 <%2B94-71-554-8430> > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Madhawa Gunasekara* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 719411002 <+94+719411002> blog: *http://madhawa-gunasekara.blogspot.com <http://madhawa-gunasekara.blogspot.com>* linkedin: *http://lk.linkedin.com/in/mgunasekara <http://lk.linkedin.com/in/mgunasekara>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
