You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Torsten Mielke (JIRA)" <ji...@apache.org> on 2011/07/29 12:05:10 UTC
[jira] [Created] (AMQ-3425) Unable to delete a queue via web
console
Unable to delete a queue via web console
----------------------------------------
Key: AMQ-3425
URL: https://issues.apache.org/jira/browse/AMQ-3425
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.5.0, 5.6.0
Environment: web console, default configuration
Reporter: Torsten Mielke
Using the following steps will make it impossible to delete a queue via the web console admin interface
- start ActiveMQ with default configuration (where web console and sample Camel route are deployed)
- open the web console http://localhost:8161/admin, click on Queues
- for the only queue example.A, press browse
- go back in your browser and now try to Delete the queue using the Delete link
- it will raise "Exception occurred while processing this request, check the log for more information!"
The AMQ log contains:
{noformat}
java.lang.UnsupportedOperationException: Possible CSRF attack
at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
at org.eclipse.jetty.server.Server.handle(Server.java:351)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
at java.lang.Thread.run(Thread.java:636)
{noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (AMQ-3425) Unable to delete a queue via web console
Posted by "Timothy Bish (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Bish closed AMQ-3425.
-----------------------------
Resolution: Not A Problem
Working as designed
> Unable to delete a queue via web console
> ----------------------------------------
>
> Key: AMQ-3425
> URL: https://issues.apache.org/jira/browse/AMQ-3425
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.6.0
> Environment: web console, default configuration
> Reporter: Torsten Mielke
> Labels: console, web
>
> Using the following steps will make it impossible to delete a queue via the web console admin interface
> - start ActiveMQ with default configuration (where web console and sample Camel route are deployed)
> - open the web console http://localhost:8161/admin, click on Queues
> - for the only queue example.A, press browse
> - go back in your browser and now try to Delete the queue using the Delete link
> - it will raise "Exception occurred while processing this request, check the log for more information!"
> The AMQ log contains:
> {noformat}
> java.lang.UnsupportedOperationException: Possible CSRF attack
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:636)
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3425) Unable to delete a queue via web
console
Posted by "Malcolm McMahon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13082331#comment-13082331 ]
Malcolm McMahon commented on AMQ-3425:
--------------------------------------
I guess this is what just happened to me, though I inially associate the problem with AMQ-2886. The error page could do with being far more specific. Even when I looked up the coresponding log entry I didn't see what "Possible CSRF" had to do with how I got to the page I clicked the link on.
> Unable to delete a queue via web console
> ----------------------------------------
>
> Key: AMQ-3425
> URL: https://issues.apache.org/jira/browse/AMQ-3425
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.6.0
> Environment: web console, default configuration
> Reporter: Torsten Mielke
> Labels: console, web
>
> Using the following steps will make it impossible to delete a queue via the web console admin interface
> - start ActiveMQ with default configuration (where web console and sample Camel route are deployed)
> - open the web console http://localhost:8161/admin, click on Queues
> - for the only queue example.A, press browse
> - go back in your browser and now try to Delete the queue using the Delete link
> - it will raise "Exception occurred while processing this request, check the log for more information!"
> The AMQ log contains:
> {noformat}
> java.lang.UnsupportedOperationException: Possible CSRF attack
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:636)
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3425) Unable to delete a queue via web
console
Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13072767#comment-13072767 ]
Dejan Bosanac commented on AMQ-3425:
------------------------------------
This is expected behavior. The protection against CSRF attacks is implemented to make sure you're calling an action from the web application (and not hitting URLs directly). When you hit "back" button, the browser will pull the page from the cache and it will not be properly initialized. Try reloading "queues" page before hitting "delete" and it will work.
> Unable to delete a queue via web console
> ----------------------------------------
>
> Key: AMQ-3425
> URL: https://issues.apache.org/jira/browse/AMQ-3425
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.6.0
> Environment: web console, default configuration
> Reporter: Torsten Mielke
> Labels: console, web
>
> Using the following steps will make it impossible to delete a queue via the web console admin interface
> - start ActiveMQ with default configuration (where web console and sample Camel route are deployed)
> - open the web console http://localhost:8161/admin, click on Queues
> - for the only queue example.A, press browse
> - go back in your browser and now try to Delete the queue using the Delete link
> - it will raise "Exception occurred while processing this request, check the log for more information!"
> The AMQ log contains:
> {noformat}
> java.lang.UnsupportedOperationException: Possible CSRF attack
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:636)
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira