[Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Hello, I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server. When I try to login to the Web I got 'Error 500' Here the part of server.log .. 2013-08-01 10:40:05,098 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]] (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call: java.lang.SecurityException: Blocked request without GWT base path header (XSRF attack?) at com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95) [gwt-servlet.jar:] at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205) [gwt-servlet.jar:] at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] ... Hans-Joachim ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
On 08/01/2013 10:48 AM, Hans-Joachim wrote: Hello, I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server. When I try to login to the Web I got 'Error 500' Here the part of server.log .. 2013-08-01 10:40:05,098 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]] (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call: java.lang.SecurityException: Blocked request without GWT base path header (XSRF attack?) at com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95) [gwt-servlet.jar:] at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205) [gwt-servlet.jar:] at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] ... Hans-Joachim Actually this isn't a problem with GWT RPC, but with the redirection that is performed from / to /ovirt-engine in the web server. You probably ended up with the following URL: https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html This adds an extra ovirt-engine path element to the request, that the server side doesn't expect, so it assumes that there is a XSFR attach going on. Type an URL like this manually in the browser and it should work: https://whatever/webadmin/webadmin/WebAdmin.html -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Hello, thank you... solved Hans-Joachim - Original Message - From: Juan Hernandez Sent: 08/01/13 12:58 PM To: Hans-Joachim Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc On 08/01/2013 10:48 AM, Hans-Joachim wrote: Hello, I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server. When I try to login to the Web I got 'Error 500' Here the part of server.log .. 2013-08-01 10:40:05,098 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]] (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call: java.lang.SecurityException: Blocked request without GWT base path header (XSRF attack?) at com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95) [gwt-servlet.jar:] at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205) [gwt-servlet.jar:] at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] ... Hans-Joachim Actually this isn't a problem with GWT RPC, but with the redirection that is performed from / to /ovirt-engine in the web server. You probably ended up with the following URL: https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html This adds an extra ovirt-engine path element to the request, that the server side doesn't expect, so it assumes that there is a XSFR attach going on. Type an URL like this manually in the browser and it should work: https://whatever/webadmin/webadmin/WebAdmin.html -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Hi, the problem here was following: - GWT RPC requests include X-GWT-* headers to provide additional meta-data, i.e. [X-GWT-Module-Base: https://whatever/webadmin/webadmin/] - when processing GWT RPC request, server (RpcServlet) gets X-GWT-Module-Base value and compares it with current request's context path - if comparison fails, for example due to extra leading [/ovirt-engine] path element, it blocks the request as invalid (potential XSRF attack) Vojtech - Original Message - From: Hans-Joachim r...@chef.net To: Juan Hernandez jhern...@redhat.com Cc: users@ovirt.org Sent: Thursday, August 1, 2013 1:54:55 PM Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc Hello, thank you... solved Hans-Joachim - Original Message - From: Juan Hernandez Sent: 08/01/13 12:58 PM To: Hans-Joachim Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc On 08/01/2013 10:48 AM, Hans-Joachim wrote: Hello, I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server. When I try to login to the Web I got 'Error 500' Here the part of server.log .. 2013-08-01 10:40:05,098 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]] (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call: java.lang.SecurityException: Blocked request without GWT base path header (XSRF attack?) at com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95) [gwt-servlet.jar:] at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205) [gwt-servlet.jar:] at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] ... Hans-Joachim Actually this isn't a problem with GWT RPC, but with the redirection that is performed from / to /ovirt-engine in the web server. You probably ended up with the following URL: https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html This adds an extra ovirt-engine path element to the request, that the server side doesn't expect, so it assumes that there is a XSFR attach going on. Type an URL like this manually in the browser and it should work: https://whatever/webadmin/webadmin/WebAdmin.html -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Should be fixed by[1] [1] http://gerrit.ovirt.org/#/c/17567/ - Original Message - From: Vojtech Szocs vsz...@redhat.com To: Hans-Joachim r...@chef.net Cc: Juan Hernandez jhern...@redhat.com, users@ovirt.org Sent: Thursday, August 1, 2013 8:55:33 PM Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc Hi, the problem here was following: - GWT RPC requests include X-GWT-* headers to provide additional meta-data, i.e. [X-GWT-Module-Base: https://whatever/webadmin/webadmin/] - when processing GWT RPC request, server (RpcServlet) gets X-GWT-Module-Base value and compares it with current request's context path - if comparison fails, for example due to extra leading [/ovirt-engine] path element, it blocks the request as invalid (potential XSRF attack) Vojtech - Original Message - From: Hans-Joachim r...@chef.net To: Juan Hernandez jhern...@redhat.com Cc: users@ovirt.org Sent: Thursday, August 1, 2013 1:54:55 PM Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc Hello, thank you... solved Hans-Joachim - Original Message - From: Juan Hernandez Sent: 08/01/13 12:58 PM To: Hans-Joachim Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc On 08/01/2013 10:48 AM, Hans-Joachim wrote: Hello, I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server. When I try to login to the Web I got 'Error 500' Here the part of server.log .. 2013-08-01 10:40:05,098 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]] (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call: java.lang.SecurityException: Blocked request without GWT base path header (XSRF attack?) at com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95) [gwt-servlet.jar:] at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205) [gwt-servlet.jar:] at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] ... Hans-Joachim Actually this isn't a problem with GWT RPC, but with the redirection that is performed from / to /ovirt-engine in the web server. You probably ended up with the following URL: https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html This adds an extra ovirt-engine path element to the request, that the server side doesn't expect, so it assumes that there is a XSFR attach going on. Type an URL like this manually in the browser and it should work: https://whatever/webadmin/webadmin/WebAdmin.html -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
