[
https://issues.apache.org/jira/browse/WICKET-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Darshit Patoliya updated WICKET-6466:
-------------------------------------
Description:
Hi,
I have used openmeeting in my application and running it on http protocol
behind nginx proxy, while my application is running on https protocol.
When I am trying to open openmetting login page it will raise 400 error for
following requests.
{panel:title=Browser Network Tab}
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218&
{panel}
Following error logged in red5.log
{panel:title=red5.log}
2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO
o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request
URL:
http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage,
Origin: https://xxx.com, action: aborted with error 400 Origin does not
correspond to request
{panel}
As per my limited knowledge and checking in to the code of wicket, I think it
is raising because of protocol mismatch between origin and request.
Is there any configurations available in wicket to handle this scenario?
FYI : This is my nginx settings for openmeeting, if I have miss something.
{code:java}
location /om/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_pass_header X-CSRFToken;
proxy_pass http://127.0.0.1:5080/om/;
proxy_redirect default;
}
location /om/public/ {
alias /opt/om330/webapps/om/public/;
}
location /om/css/ {
alias /opt/om330/webapps/om/css/;
}
location /om/images/ {
alias /opt/om330/webapps/om/images/;
}
location /om/js/ {
alias /opt/om330/webapps/om/js/;
}
{code}
was:
Hi,
I have used openmeeting in my application and running it on http protocol
behind nginx proxy, while my application is running on https protocol.
When I am trying to open openmetting login page it will raise 400 error for
following requests.
{panel:title=Browser Network Tab}
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218&
{panel}
Following error logged in red5.log
{panel:title=red5.log}
2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO
o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request
URL:
http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage,
Origin: https://xxx.com, action: aborted with error 400 Origin does not
correspond to request
{panel}
As per my limited knowledge and checking in to the code of wicket, I think it
is raising because of protocol mismatch between origin and request.
Is there any configurations available in code of wicket to handle this scenario?
FYI : This is my nginx settings for openmeeting, if I have miss something.
{code:java}
location /om/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_pass_header X-CSRFToken;
proxy_pass http://127.0.0.1:5080/om/;
proxy_redirect default;
}
location /om/public/ {
alias /opt/om330/webapps/om/public/;
}
location /om/css/ {
alias /opt/om330/webapps/om/css/;
}
location /om/images/ {
alias /opt/om330/webapps/om/images/;
}
location /om/js/ {
alias /opt/om330/webapps/om/js/;
}
{code}
> CSRF Prevention Configurations
> ------------------------------
>
> Key: WICKET-6466
> URL: https://issues.apache.org/jira/browse/WICKET-6466
> Project: Wicket
> Issue Type: Improvement
> Reporter: Darshit Patoliya
>
> Hi,
> I have used openmeeting in my application and running it on http protocol
> behind nginx proxy, while my application is running on https protocol.
> When I am trying to open openmetting login page it will raise 400 error for
> following requests.
> {panel:title=Browser Network Tab}
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218&
> {panel}
> Following error logged in red5.log
> {panel:title=red5.log}
> 2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO
> o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request
> URL:
> http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage,
> Origin: https://xxx.com, action: aborted with error 400 Origin does not
> correspond to request
> {panel}
> As per my limited knowledge and checking in to the code of wicket, I think it
> is raising because of protocol mismatch between origin and request.
> Is there any configurations available in wicket to handle this scenario?
> FYI : This is my nginx settings for openmeeting, if I have miss something.
> {code:java}
> location /om/ {
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header Host $host;
> proxy_set_header Upgrade $http_upgrade;
> proxy_pass_header X-CSRFToken;
> proxy_pass http://127.0.0.1:5080/om/;
> proxy_redirect default;
> }
> location /om/public/ {
> alias /opt/om330/webapps/om/public/;
> }
> location /om/css/ {
> alias /opt/om330/webapps/om/css/;
> }
> location /om/images/ {
> alias /opt/om330/webapps/om/images/;
> }
> location /om/js/ {
> alias /opt/om330/webapps/om/js/;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
