ActiveMQ
  1. ActiveMQ
  2. AMQ-3425

Unable to delete a queue via web console

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Not A Problem
    • Affects Version/s: 5.5.0, 5.x
    • Fix Version/s: None
    • Component/s: Broker
    • Labels:
    • Environment:

      web console, default configuration

      Description

      Using the following steps will make it impossible to delete a queue via the web console admin interface

      • start ActiveMQ with default configuration (where web console and sample Camel route are deployed)
      • open the web console http://localhost:8161/admin, click on Queues
      • for the only queue example.A, press browse
      • go back in your browser and now try to Delete the queue using the Delete link
      • it will raise "Exception occurred while processing this request, check the log for more information!"

      The AMQ log contains:

      java.lang.UnsupportedOperationException: Possible CSRF attack
      	at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
      	at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
      	at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
      	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
      	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
      	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
      	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
      	at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
      	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
      	at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
      	at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
      	at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
      	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
      	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
      	at org.eclipse.jetty.server.Server.handle(Server.java:351)
      	at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
      	at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
      	at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
      	at java.lang.Thread.run(Thread.java:636)
      

        Activity

        Hide
        Dejan Bosanac added a comment -

        This is expected behavior. The protection against CSRF attacks is implemented to make sure you're calling an action from the web application (and not hitting URLs directly). When you hit "back" button, the browser will pull the page from the cache and it will not be properly initialized. Try reloading "queues" page before hitting "delete" and it will work.

        Show
        Dejan Bosanac added a comment - This is expected behavior. The protection against CSRF attacks is implemented to make sure you're calling an action from the web application (and not hitting URLs directly). When you hit "back" button, the browser will pull the page from the cache and it will not be properly initialized. Try reloading "queues" page before hitting "delete" and it will work.
        Hide
        Timothy Bish added a comment -

        Working as designed

        Show
        Timothy Bish added a comment - Working as designed
        Hide
        Malcolm McMahon added a comment -

        I guess this is what just happened to me, though I inially associate the problem with AMQ-2886. The error page could do with being far more specific. Even when I looked up the coresponding log entry I didn't see what "Possible CSRF" had to do with how I got to the page I clicked the link on.

        Show
        Malcolm McMahon added a comment - I guess this is what just happened to me, though I inially associate the problem with AMQ-2886 . The error page could do with being far more specific. Even when I looked up the coresponding log entry I didn't see what "Possible CSRF" had to do with how I got to the page I clicked the link on.

          People

          • Assignee:
            Unassigned
            Reporter:
            Torsten Mielke
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development