You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Dejan Bosanac (JIRA)" <ji...@apache.org> on 2011/06/01 14:23:47 UTC

[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5

    [ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042131#comment-13042131 ] 

Dejan Bosanac commented on AMQ-3345:
------------------------------------

How do you call this page. This check is introduced to prevent csrf attacks, so that "purge" link can only be clicked from the webapp page. It works all fine here.

> Possible CSRF attack on 5.5
> ---------------------------
>
>                 Key: AMQ-3345
>                 URL: https://issues.apache.org/jira/browse/AMQ-3345
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.5.0
>         Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
>            Reporter: Javier Segura
>              Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN  | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
>         at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
>         at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
>         at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
>         at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
>         at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
>         at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
>         at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
>         at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
>         at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
>         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
>         at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
>         at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
>         at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
>         at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
>         at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>         at org.eclipse.jetty.server.Server.handle(Server.java:351)
>         at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
>         at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
>         at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>         at java.lang.Thread.run(Thread.java:619)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira