search

wso2 / product-ei

An open source, a high-performance hybrid integration platform that allows developers quick integration with any application, data, or system.
https://wso2.com/integration/
Apache License 2.0
374 stars 281 forks source link

Unable to save a new Datasource with WSO2 EI 6.1.1 #696

Closed ferrarimarco closed 1 month ago

ferrarimarco commented 7 years ago

If I try to save a new datasource (after testing it) in EI 6.1.1, I get a Error 403 - Forbidden after pressing the "Save" button. The forbidden URL is https://IP:9443/carbon/ndatasource/savedatasource-ajaxprocessor.jsp

In the WSO2 EI Log I found this related entry:

[2017-06-28 12:38:04,984] [EI-Core] WARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:172.17.0.1, method:POST, uri:/carbon/ndatasource/savedatasource-ajaxprocessor.jsp, error:required token is missing from the request)

How to reproduce

Here is a Dockerfile you can use to reproduce this issue, provided that you have a provision/wso2ei-6.1.1.zip file:

FROM openjdk:8u131-jdk-alpine

RUN addgroup wso2 \
    && adduser -S -s /bin/ash -G 'WSO2User' -G wso2 -D wso2user

RUN apk add --update --no-cache \
      unzip \
      zip

ENV WSO2_SERVER=wso2ei \
    WSO2_SERVER_VERSION=6.1.1 \
    WSO2_SERVER_PROFILE=default \
    WSO2_ENVIRONMENT=dev

COPY provision/${WSO2_SERVER}-$WSO2_SERVER_VERSION.zip /mnt

RUN unzip -q /mnt/${WSO2_SERVER}-${WSO2_SERVER_VERSION}.zip -d /mnt \
  && rm -f /mnt/${WSO2_SERVER}-${WSO2_SERVER_VERSION}.zip

RUN apk del --no-cache \
    unzip \
    zip\
  && rm -rf /var/cache/apk/*

RUN chown wso2user:wso2 /usr/local/bin/* \
  && chown -R wso2user:wso2 /mnt

USER wso2user
WORKDIR /mnt

# Expose transport ports
EXPOSE 8280 8243 9763 9443

ENTRYPOINT /mnt/wso2ei-${WSO2_SERVER_VERSION}/bin/integrator.sh

After building the image and running a container based on it, you can reproduce the issue by loading any page of the management console (even the login one) and checking which files are being loaded with the Development Mode of your browser of choice.

Possible Cause

After loading any webpage of the configuration interface, I get an https://IP:9443/carbon/admin/js/csrfPrevention.js net::ERR_CONTENT_DECODING_FAILED

After a bit of digging I found no csrfPrevention.js in wso2ei-6.1.1/wso2/components/plugins/org.wso2.carbon.ui_4.4.16.jar (there is however a csrf.js).

This issue heavily affects the UX because it makes certain management operation (like the creation of a new Datasource) impossible.

Manuri commented 7 years ago

Hi @ferrarimarco,

With the dockerfile you provided I was able to reproduce this behavior. But when trying this in a non-containerized environment this didn't occur.

In your possible cause section you have mentioned that csrfPrevention.js is not found. That is because it is not an actual file but a url pattern("/carbon/admin/js/csrfPrevention.js") that maps a servelet which is responsible for dynamically injecting csrf token. So that is not the cause here.

When analyzing the request sent when saving the datasource it seems that, in the case of the docker container, X-CSRF-Token is not submitted with the form. But when the server is on the local machine itself the X-CSRF-Token was being submitted with the form.

We'll check this and get back.

ferrarimarco commented 7 years ago

Thanks!

Sure I realized that there was a servlet after checking the source but anyway the servlet should respond with a 200 on that URL if invoked directly.

If you need to perform additional checks let me know.

Manuri commented 7 years ago

Thanks @ferrarimarco, will let you know if we need further help from you.

@ayomawdb Any insight you could provide on this?

Manuri commented 7 years ago

Hi @ferrarimarco, It seems that the issue occurs during gzip decompression of the javascript resource csrf.js. However this issue did not occur when I tried the same scenario on an ubuntu 14.10 image with open jdk. We need to isolate this further to identify if this problem emerges when using alpine linux or there are different/additional contributing factors.

Felipeagp commented 7 years ago

Hi guys,

The solution that I found for the issue was install the version java JDK 1.8.0_121. Versions of JDK higher than this one seem not to work.

hsarma commented 7 years ago

Hello there - was evaluating WSO2 DAS and couldnt login with default user/pass on a fresh install on 16.04 with JDK 1.8.0_151-b12. Over on the net, some say its an issue with zlib on 17.x ubuntu, others say its with Oracle JDK > 1.8.0_12x. As a quick turnaround, tried disabling tomcat compression in repository/conf/tomcat/catalina-server.xml. <Connector ... compression="off">. Able to continue with DAS now.

manueldeveloper commented 7 years ago

It might be the Java version. I was suffering the same issue with Java JDK 1.8.0_151, I downgraded it to JDK 1.8.0_141 and the issue disappeared (issue)

ceduard0 commented 7 years ago

helo everybody I was suffering the same issue with Java JDK 1.8.0_151, I downgraded it to JDK 1.8.0_142 and the issue disappeared.

Thanks @manueldeveloper !!

glaucioguerra commented 6 years ago

Hi,

I downgraded from 151 to 144, works fine!

xsadg commented 6 years ago

I tried 121,141 and 144 version, still same on W2012R2. Same thing with compression to off.

Miggleness commented 6 years ago

@xsadg make sure you set compression="off" in two places in file conf/tomcat/catalina-server.xml (WSO2 6.1.1)

I'm on Java 1.8u152

xiao911wei commented 6 years ago

Still not working in jdk1.8.0_162 with wso2ei-6.1.1-update22. So we should still wait jdk1.8.0_171+?

Miggleness commented 6 years ago

@xiao911wei Sadly, the release notes for Oracle's Java 8 u162 sadly doesn't mention the fix. It's recommended to stick to u144 in the meantime.