Effective October 27, 2012, online and email support for FuseSource products will move to Red Hat support channels. For more information, please see the JIRA Migration to Red Hat FAQ.
As of October 27th, please open all new issues in the Red Hat Customer Portal .
Issue Details (XML | Word | Printable)

Key: MB-670
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Dejan Bosanac
Reporter: Sean O'Callaghan
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
FUSE Message Broker

Possible CSRF attack error received when selecting purge/delete links in the ActiveMQ Admin console

Created: 17/May/10 11:11 AM   Updated: 16/Feb/11 02:19 PM
Component/s: broker
Affects Version/s: 5.3.1-fuse-01-00
Fix Version/s: None

File Attachments: 1. XML File activemq-dev2402.xml (7 kB)
2. Zip Archive dev2402.zip (5 kB)
3. Zip Archive mb670.zip (4 kB)
4. File webconsole.properties (0.1 kB)


 Description  « Hide
On selecting to Purge a queue the following URL is returned:

http://localhost:8161/admin/purgeDestination.action?JMSDestination=TEST.FOO&JMSDestinationType=queue&secret=d639b715-9ffb-48d4-b6ff-9bfd8ba62880.

The exception is:

HTTP ERROR: 500

Possible CSRF attack
RequestURI=/admin/purgeDestination.action

Caused by:

java.lang.UnsupportedOperationException: Possible CSRF attack
at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:1057)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:854)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1124)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:417)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:864)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:533)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:207)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
Powered by Jetty://

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Sean O'Callaghan added a comment - 17/May/10 11:12 AM
Files used when starting the broker.

[ Permlink | « Hide ]
Dejan Bosanac added a comment - 21/May/10 09:10 PM
Hi Sean,

can you try files attached in the dev2302.zip archive? They contain modified activemq-dev2402.xml to include adapted jetty.xml which secures console correctly (see http://fusesource.com/issues/browse/MB-666 for more details).

I couldn't reproduce the error with these files and 5.3.1-00-01 broker.


[ Permlink | « Hide ]
Sean O'Callaghan added a comment - 24/May/10 08:39 AM
Hi Dejan,

Thanks, I think my setup might not be correct can you send me on the credentials.properties and webconsole.properties that you use?
I can logon to the console using the user and password I've defined in webconsole.properties:

system:ev3rstr3am: amqAdmin,

However when I try to create I get an exception and also when I hit purge the same:

java.lang.UnsupportedOperationException: Possible CSRF attack occurs.

Regards,

Sean.


[ Permlink | « Hide ]
Dejan Bosanac added a comment - 08/Jun/10 09:09 AM
Hi Sean,

I just tried it on a clean 5.3.1-01-00 install, with files from dev-2402.zip.

I copied missing webconsole.properties manually and started a broker with

bin/acitvemq xbean:conf/activemq-dev2402.xml

and everything seems to work fine.

Can you try it on a fresh install and describe step-by-step how do you reproduce it.

Thanks,
Dejan


[ Permlink | « Hide ]
Sean O'Callaghan added a comment - 08/Jun/10 12:31 PM
Hi Dejan,

I have tried a fresh install of 5.3.1-01-00.

Using the activemq-dev2402.xml file and copied in the webconsole.properties I get the exception below on starting the broker:

INFO | Connector vm://localhost Stopped
INFO | Connector vm://localhost Started
WARN | Failed to add Connection
java.lang.SecurityException: User name or password is invalid.
at org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:683)
at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:303)
at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
at org.apache.activemq.transport.ResponseCorrelator.onCommand(ResponseCorrelator.java:116)
at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
at org.apache.activemq.transport.vm.VMTransport.iterate(VMTransport.java:219)
at org.apache.activemq.thread.DedicatedTaskRunner.runTask(DedicatedTaskRunner.java:98)
at org.apache.activemq.thread.DedicatedTaskRunner$1.run(DedicatedTaskRunner.java:36)

Do you see this?

Sean.


[ Permlink | « Hide ]
Dejan Bosanac added a comment - 08/Jun/10 04:21 PM
Hi Sean,

strangely no. It's probably due to the security plugins configured in the file. Just for the sake of easier testing I created a new archive with everything included and broker security disabled) - mb670.zip.

Can you try it out?

Thanks,
Dejan


[ Permlink | « Hide ]
Sean O'Callaghan added a comment - 09/Jun/10 10:13 AM
Hi Dejan,

Using that config all seems to work okay.

Thanks,

Sean.
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators