You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Joseph Leong (JIRA)" <ji...@apache.org> on 2008/01/24 10:19:38 UTC
[jira] Created: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Plugin Installer, CRSF issue when attempting to install a new plugin
--------------------------------------------------------------------
Key: GERONIMO-3781
URL: https://issues.apache.org/jira/browse/GERONIMO-3781
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: console
Affects Versions: 2.1
Environment: Ubuntu 7.10, Firefox 2.0.0.6
Reporter: Joseph Leong
Assignee: Joseph Leong
Fix For: 2.1
Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12577963#action_12577963 ]
Donald Woods commented on GERONIMO-3781:
----------------------------------------
Do we still have a Jetty issue here for 2.1.1?
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573107#action_12573107 ]
Joseph Leong commented on GERONIMO-3781:
----------------------------------------
Hey Jarek,
Great! Beat me too it, ya i saw that in Manu's response and a light bulb went off. I'll verify it and follow up with this Jetty issue.
Thanks Jarek
-Joseph Leong
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12565910#action_12565910 ]
Joseph Leong commented on GERONIMO-3781:
----------------------------------------
Update:
Been spending a great deal of time on this, have found a funny scenario that fixes this issue with expiring a cookie and some delays- but not satisfied with that hack. Going to put more work into it until i iron this out solid.
Any thoughts would be appreciated. The specific issue is at the: private void checkNotCsrfAttack(HttpServletRequest request, String sessionCookieName) located at
http://fisheye5.cenqua.com/browse/~raw,r=1.7/dwr/java/org/directwebremoting/dwrp/Batch.java
It is throwing a session error because nothing will return true.
Due to GERONIMO-3746 being resolved, this JIRA will remain active to update the CSRF issue.
Thanks!
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578036#action_12578036 ]
Joseph Leong commented on GERONIMO-3781:
----------------------------------------
As far as I know I haven't implemented any changes for this yet, still working on it.
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563121#action_12563121 ]
Joseph Leong commented on GERONIMO-3781:
----------------------------------------
Due to the issue occurring in several overlapping files of other related JIRAS, please refer to GERONIMO-3746 for future updates regarding this bug.
Thanks!
Joseph Leong
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573091#action_12573091 ]
Jarek Gawor commented on GERONIMO-3781:
---------------------------------------
Also, with these new changed everything looks/works fine for me on Tomcat but on Jetty I see the following exception displayed periodically (although everything installed/looked fine):
java.lang.IllegalStateException: Committed
at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
at org.mortbay.jetty.Response.sendRedirect(Response.java:403)
at org.mortbay.jetty.security.FormAuthenticator.authenticate(FormAuthenticator.java:257)
at org.apache.geronimo.jetty6.handler.JettySecurityHandler.checkSecurityConstraints(JettySecurityHandler.java:216)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:191)
at org.apache.geronimo.jetty6.handler.JettySecurityHandler.handle(JettySecurityHandler.java:114)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.access$101(TwistyWebAppContext.java:40)
at org.apache.geronimo.jetty6.handler.TwistyWebAppContext$TwistyHandler.handle(TwistyWebAppContext.java:65)
at org.apache.geronimo.jetty6.handler.ThreadClassloaderHandler.handle(ThreadClassloaderHandler.java:46)
at org.apache.geronimo.jetty6.handler.InstanceContextHandler.handle(InstanceContextHandler.java:58)
at org.apache.geronimo.jetty6.handler.UserTransactionHandler.handle(UserTransactionHandler.java:48)
at org.apache.geronimo.jetty6.handler.ComponentContextHandler.handle(ComponentContextHandler.java:47)
at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.handle(TwistyWebAppContext.java:59)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:374)
.....
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Kevan Miller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevan Miller updated GERONIMO-3781:
-----------------------------------
Affects Version/s: 2.1.1
Fix Version/s: (was: 2.1)
2.1.1
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563098#action_12563098 ]
Joseph Leong commented on GERONIMO-3781:
----------------------------------------
The cookie/session mismatch may have been a byproduct of not being redirected to ContinueForm after installation is complete. There the DWR session may properly close and allowing it to recreate a matching cookie/session the next time the plugin installer is called. Similar issue may exist in the Sys-Db portlet as well, will confirm and open separate JIRA.
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573088#action_12573088 ]
Jarek Gawor commented on GERONIMO-3781:
---------------------------------------
Manu George said something on the http://www.mail-archive.com/dev@geronimo.apache.org/msg57376.html thread that prompted me to take a new look at this issue. I changed the code so that all dwr (plugin portlet) requests are forwarded through the /console context and that seems to fix the session problems. I committed the changes to trunk (revision 631758) and branches/2.1 (revision 631759).
Please checkout the updated code and verify the fix.
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-3781) Plugin Installer, CRSF issue when
attempting to install a new plugin
Posted by "Joseph Leong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joseph Leong closed GERONIMO-3781.
----------------------------------
Resolution: Fixed
Original CRSF issue resolved. The side effect spawn the warning message in Jetty will be fixed and updated at GERONIMO-3942
> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
> Key: GERONIMO-3781
> URL: https://issues.apache.org/jira/browse/GERONIMO-3781
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console
> Affects Versions: 2.1, 2.1.1
> Environment: Ubuntu 7.10, Firefox 2.0.0.6
> Reporter: Joseph Leong
> Assignee: Joseph Leong
> Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.