Hey there,
I have been using Jackrabbit in combination with Jackalope
(https://github.com/jackalope/jackalope-jackrabbit
<https://github.com/jackalope/jackalope-jackrabbit>), but this starts to fail
since Jackrabbit 2.12.4.
When trying to write something to the workspace, I always get an error like
that:
[PHPCR\RepositoryException]
Unexpected error:
CURL Error:
Response (HTTP 403): POST
--uri: --
array (
0 => 'http://localhost:8080/server/default/jcr:root/',
)
--curl getinfo: --
array (
'url' => 'http://localhost:8080/server/default/jcr:root/',
'content_type' => 'text/html; charset=iso-8859-1',
'http_code' => 403,
'header_size' => 165,
'request_size' => 7846,
'filetime' => -1,
'ssl_verify_result' => 0,
'redirect_count' => 0,
'total_time' => 0.002591,
'namelookup_time' => 1.7E-5,
'connect_time' => 0.000165,
'pretransfer_time' => 0.000192,
'size_upload' => 7588.0,
'size_download' => 1389.0,
'speed_download' => 536086.0,
'speed_upload' => 2928598.0,
'download_content_length' => 1389.0,
'upload_content_length' => 7588.0,
'starttransfer_time' => 0.0025690000000000001,
'redirect_time' => 0.0,
'redirect_url' => '',
'primary_ip' => '::1',
'certinfo' =>
array (
),
'primary_port' => 8080,
'local_ip' => '::1',
'local_port' => 64122,
)
--request body (size: 7588 bytes): --
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:en-created"
Content-Type: jcr-value/date; charset=UTF-8
Content-Transfer-Encoding: 8bit
2016-11-16T10:10:21.000+00:00
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:en-changed"
Content-Type: jcr-value/date; charset=UTF-8
Content-Transfer-Encoding: 8bit
2016-11-16T10:10:21.000+00:00
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:en-published"
Content-Type: jcr-value/date; charset=UTF-8
Content-Transfer-Encoding: 8bit
2016-11-16T10:10:21.000+00:00
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-title"
Content-Type: jcr-value/string; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-description"
Content-Type: jcr-value/string; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-keywords"
Content-Type: jcr-value/string; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-canonicalUrl"
Content-Type: jcr-value/string; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-noIndex"
Content-Type: jcr-value/boolean; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data;
name="/cmf/sulu_io/contents/i18n:de-seo-noFollow"
Content-Type: jcr-value/boolean; charset=UTF-8
Content-Transfer-Encoding: 8bit
--07d542fbc64b7d5ee6f9362454e670f5
Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n
(truncated)
--response body (size: 1389 bytes): --
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1"/>
<title>Error 403 FORBIDDEN</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /server/default/jcr:root/. Reason:
<pre> FORBIDDEN</pre></p><hr /><i><small>Powered by
Jetty://</small></i><br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
</body>
</html>
--end response body—
If I am informed correctly jackalope-jackrabbit uses the WebDAV interface of
Jackrabbit. Also, I have seen that the only issue fixed in the 2.12.4 release
was https://issues.apache.org/jira/browse/JCR-4009
<https://issues.apache.org/jira/browse/JCR-4009>, which is handling some CSRF
stuff. So I think the 403 error we are getting could be related with the fix of
that issue (and obviously is, since it is the only thing that changed).
I talked to David Buchmann, the main author of jackalope-jackrabbit, and he
said there is probably no CSRF handling, and after digging a bit in the code I
cannot say otherwise. So I assume that this part is missing.
I have already looked at the different requests sent between the jackalope
internal client and one delivered by PHPCR, and I see some differences there.
For a simple list of nodes command the jackrabbit internal client is sending a
GET request, while the implementation of jackalope uses a POST with the content
type application/x-www-form-urlencoded. I tried to change that, but I was still
not lucky (have explained that in more detail in this issue:
https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082
<https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082>)
Now my question is how we would have to provide a CSRF token in order to get
that working again. It’s a little bit hard to find the missing bits in
wireshark without having a clue at all :-)
Or am I searching in a completely different path?
Kind Regards
Daniel
