You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Kevan Miller (JIRA)" <ji...@apache.org> on 2009/06/30 19:24:47 UTC
[jira] Created: (GERONIMO-4722) XSS/XSRF filters are triggering
Session object creation for unknown URLs
XSS/XSRF filters are triggering Session object creation for unknown URLs
------------------------------------------------------------------------
Key: GERONIMO-4722
URL: https://issues.apache.org/jira/browse/GERONIMO-4722
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Affects Versions: 2.1.4, 2.2
Reporter: Kevan Miller
Priority: Minor
Fix For: 2.1.5, 2.2
The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:
http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:613)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4722) XSS/XSRF filters are triggering
Session object creation for unknown URLs
Posted by "Rex Wang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rex Wang closed GERONIMO-4722.
------------------------------
closing it
> XSS/XSRF filters are triggering Session object creation for unknown URLs
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4722
> URL: https://issues.apache.org/jira/browse/GERONIMO-4722
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.1.4, 2.2
> Reporter: Kevan Miller
> Assignee: Joe Bohn
> Priority: Minor
> Fix For: 2.1.5, 2.2
>
>
> The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:
> http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
> at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
> at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
> at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
> at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
> at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
> at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
> at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
> at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:613)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-4722) XSS/XSRF filters are triggering
Session object creation for unknown URLs
Posted by "Joe Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe Bohn reassigned GERONIMO-4722:
----------------------------------
Assignee: Joe Bohn
> XSS/XSRF filters are triggering Session object creation for unknown URLs
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4722
> URL: https://issues.apache.org/jira/browse/GERONIMO-4722
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.1.4, 2.2
> Reporter: Kevan Miller
> Assignee: Joe Bohn
> Priority: Minor
> Fix For: 2.1.5, 2.2
>
>
> The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:
> http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
> at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
> at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
> at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
> at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
> at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
> at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
> at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
> at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:613)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (GERONIMO-4722) XSS/XSRF filters are triggering
Session object creation for unknown URLs
Posted by "Joe Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe Bohn resolved GERONIMO-4722.
--------------------------------
Resolution: Fixed
I've committed changes in branches/2.1 (rev. 789881) and trunk (rev. 789885). This seems to resolve the problem you observed with session creation. Please validate before closing.
> XSS/XSRF filters are triggering Session object creation for unknown URLs
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4722
> URL: https://issues.apache.org/jira/browse/GERONIMO-4722
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.1.4, 2.2
> Reporter: Kevan Miller
> Assignee: Joe Bohn
> Priority: Minor
> Fix For: 2.1.5, 2.2
>
>
> The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:
> http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
> at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
> at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
> at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
> at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
> at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
> at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
> at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
> at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:613)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4722) XSS/XSRF filters are triggering
Session object creation for unknown URLs
Posted by "Joe Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12725723#action_12725723 ]
Joe Bohn commented on GERONIMO-4722:
------------------------------------
It appears that we were too aggressive in the application of the XSSXSRFFilter. There is no strong reason that this should be applied to the welcome application which has a context-root of "/'. Combine that with the filter URL pattern of "/*" registered for the filter on the welcome application and nearly every url is inspected. It seems we can remove this filter from welcome.
Refer to this thread for more details: http://www.nabble.com/Session-creation-triggered-by-XSS-XSRF-filter-to24272007s134.html
> XSS/XSRF filters are triggering Session object creation for unknown URLs
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4722
> URL: https://issues.apache.org/jira/browse/GERONIMO-4722
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.1.4, 2.2
> Reporter: Kevan Miller
> Assignee: Joe Bohn
> Priority: Minor
> Fix For: 2.1.5, 2.2
>
>
> The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:
> http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
> at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
> at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
> at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
> at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
> at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
> at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
> at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
> at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:613)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.