Geronimo
  1. Geronimo
  2. GERONIMO-3781

Plugin Installer, CRSF issue when attempting to install a new plugin

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1, 2.1.1
    • Fix Version/s: 2.1.1
    • Component/s: console
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      Ubuntu 7.10, Firefox 2.0.0.6

      Description

      Plugin installer will not allow for you to install anymore plugins on a second attempt given that it threw an exception the first time. This is attributed to the exception thrown that doesn't properly exit and close off current sessions. So in the second attempt there is a cookie/session mismatch.

        Activity

        Hide
        Joseph Leong added a comment -

        Original CRSF issue resolved. The side effect spawn the warning message in Jetty will be fixed and updated at GERONIMO-3942

        Show
        Joseph Leong added a comment - Original CRSF issue resolved. The side effect spawn the warning message in Jetty will be fixed and updated at GERONIMO-3942
        Hide
        Joseph Leong added a comment -

        As far as I know I haven't implemented any changes for this yet, still working on it.

        Show
        Joseph Leong added a comment - As far as I know I haven't implemented any changes for this yet, still working on it.
        Hide
        Donald Woods added a comment -

        Do we still have a Jetty issue here for 2.1.1?

        Show
        Donald Woods added a comment - Do we still have a Jetty issue here for 2.1.1?
        Hide
        Joseph Leong added a comment -

        Hey Jarek,

        Great! Beat me too it, ya i saw that in Manu's response and a light bulb went off. I'll verify it and follow up with this Jetty issue.

        Thanks Jarek

        -Joseph Leong

        Show
        Joseph Leong added a comment - Hey Jarek, Great! Beat me too it, ya i saw that in Manu's response and a light bulb went off. I'll verify it and follow up with this Jetty issue. Thanks Jarek -Joseph Leong
        Hide
        Jarek Gawor added a comment -

        Also, with these new changed everything looks/works fine for me on Tomcat but on Jetty I see the following exception displayed periodically (although everything installed/looked fine):

        java.lang.IllegalStateException: Committed
        at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
        at org.mortbay.jetty.Response.sendRedirect(Response.java:403)
        at org.mortbay.jetty.security.FormAuthenticator.authenticate(FormAuthenticator.java:257)
        at org.apache.geronimo.jetty6.handler.JettySecurityHandler.checkSecurityConstraints(JettySecurityHandler.java:216)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:191)
        at org.apache.geronimo.jetty6.handler.JettySecurityHandler.handle(JettySecurityHandler.java:114)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
        at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.access$101(TwistyWebAppContext.java:40)
        at org.apache.geronimo.jetty6.handler.TwistyWebAppContext$TwistyHandler.handle(TwistyWebAppContext.java:65)
        at org.apache.geronimo.jetty6.handler.ThreadClassloaderHandler.handle(ThreadClassloaderHandler.java:46)
        at org.apache.geronimo.jetty6.handler.InstanceContextHandler.handle(InstanceContextHandler.java:58)
        at org.apache.geronimo.jetty6.handler.UserTransactionHandler.handle(UserTransactionHandler.java:48)
        at org.apache.geronimo.jetty6.handler.ComponentContextHandler.handle(ComponentContextHandler.java:47)
        at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.handle(TwistyWebAppContext.java:59)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.Server.handle(Server.java:324)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:374)
        .....

        Show
        Jarek Gawor added a comment - Also, with these new changed everything looks/works fine for me on Tomcat but on Jetty I see the following exception displayed periodically (although everything installed/looked fine): java.lang.IllegalStateException: Committed at org.mortbay.jetty.Response.resetBuffer(Response.java:995) at org.mortbay.jetty.Response.sendRedirect(Response.java:403) at org.mortbay.jetty.security.FormAuthenticator.authenticate(FormAuthenticator.java:257) at org.apache.geronimo.jetty6.handler.JettySecurityHandler.checkSecurityConstraints(JettySecurityHandler.java:216) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:191) at org.apache.geronimo.jetty6.handler.JettySecurityHandler.handle(JettySecurityHandler.java:114) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.access$101(TwistyWebAppContext.java:40) at org.apache.geronimo.jetty6.handler.TwistyWebAppContext$TwistyHandler.handle(TwistyWebAppContext.java:65) at org.apache.geronimo.jetty6.handler.ThreadClassloaderHandler.handle(ThreadClassloaderHandler.java:46) at org.apache.geronimo.jetty6.handler.InstanceContextHandler.handle(InstanceContextHandler.java:58) at org.apache.geronimo.jetty6.handler.UserTransactionHandler.handle(UserTransactionHandler.java:48) at org.apache.geronimo.jetty6.handler.ComponentContextHandler.handle(ComponentContextHandler.java:47) at org.apache.geronimo.jetty6.handler.TwistyWebAppContext.handle(TwistyWebAppContext.java:59) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206) at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:374) .....
        Hide
        Jarek Gawor added a comment -

        Manu George said something on the http://www.mail-archive.com/dev@geronimo.apache.org/msg57376.html thread that prompted me to take a new look at this issue. I changed the code so that all dwr (plugin portlet) requests are forwarded through the /console context and that seems to fix the session problems. I committed the changes to trunk (revision 631758) and branches/2.1 (revision 631759).

        Please checkout the updated code and verify the fix.

        Show
        Jarek Gawor added a comment - Manu George said something on the http://www.mail-archive.com/dev@geronimo.apache.org/msg57376.html thread that prompted me to take a new look at this issue. I changed the code so that all dwr (plugin portlet) requests are forwarded through the /console context and that seems to fix the session problems. I committed the changes to trunk (revision 631758) and branches/2.1 (revision 631759). Please checkout the updated code and verify the fix.
        Hide
        Joseph Leong added a comment -

        Update:

        Been spending a great deal of time on this, have found a funny scenario that fixes this issue with expiring a cookie and some delays- but not satisfied with that hack. Going to put more work into it until i iron this out solid.

        Any thoughts would be appreciated. The specific issue is at the: private void checkNotCsrfAttack(HttpServletRequest request, String sessionCookieName) located at
        http://fisheye5.cenqua.com/browse/~raw,r=1.7/dwr/java/org/directwebremoting/dwrp/Batch.java

        It is throwing a session error because nothing will return true.

        Due to GERONIMO-3746 being resolved, this JIRA will remain active to update the CSRF issue.

        Thanks!

        Show
        Joseph Leong added a comment - Update: Been spending a great deal of time on this, have found a funny scenario that fixes this issue with expiring a cookie and some delays- but not satisfied with that hack. Going to put more work into it until i iron this out solid. Any thoughts would be appreciated. The specific issue is at the: private void checkNotCsrfAttack(HttpServletRequest request, String sessionCookieName) located at http://fisheye5.cenqua.com/browse/~raw,r=1.7/dwr/java/org/directwebremoting/dwrp/Batch.java It is throwing a session error because nothing will return true. Due to GERONIMO-3746 being resolved, this JIRA will remain active to update the CSRF issue. Thanks!
        Hide
        Joseph Leong added a comment -

        Due to the issue occurring in several overlapping files of other related JIRAS, please refer to GERONIMO-3746 for future updates regarding this bug.

        Thanks!
        Joseph Leong

        Show
        Joseph Leong added a comment - Due to the issue occurring in several overlapping files of other related JIRAS, please refer to GERONIMO-3746 for future updates regarding this bug. Thanks! Joseph Leong
        Hide
        Joseph Leong added a comment -

        The cookie/session mismatch may have been a byproduct of not being redirected to ContinueForm after installation is complete. There the DWR session may properly close and allowing it to recreate a matching cookie/session the next time the plugin installer is called. Similar issue may exist in the Sys-Db portlet as well, will confirm and open separate JIRA.

        Show
        Joseph Leong added a comment - The cookie/session mismatch may have been a byproduct of not being redirected to ContinueForm after installation is complete. There the DWR session may properly close and allowing it to recreate a matching cookie/session the next time the plugin installer is called. Similar issue may exist in the Sys-Db portlet as well, will confirm and open separate JIRA.

          People

          • Assignee:
            Joseph Leong
            Reporter:
            Joseph Leong
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development