FUSE Message Broker
  1. FUSE Message Broker
  2. MB-670

Possible CSRF attack error received when selecting purge/delete links in the ActiveMQ Admin console

    Details

    • Type: Bug Bug
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 5.3.1-fuse-01-00
    • Fix Version/s: None
    • Component/s: broker
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      On selecting to Purge a queue the following URL is returned:

      http://localhost:8161/admin/purgeDestination.action?JMSDestination=TEST.FOO&JMSDestinationType=queue&secret=d639b715-9ffb-48d4-b6ff-9bfd8ba62880.

      The exception is:

      HTTP ERROR: 500

      Possible CSRF attack
      RequestURI=/admin/purgeDestination.action

      Caused by:

      java.lang.UnsupportedOperationException: Possible CSRF attack
      at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
      at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
      at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:1057)
      at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:854)
      at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
      at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
      at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
      at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1124)
      at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
      at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
      at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
      at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1115)
      at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
      at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
      at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
      at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
      at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:417)
      at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
      at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
      at org.mortbay.jetty.Server.handle(Server.java:324)
      at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
      at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:864)
      at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:533)
      at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:207)
      at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
      at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
      at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
      Powered by Jetty://

      1. activemq-dev2402.xml
        7 kB
        Sean O'Callaghan
      2. webconsole.properties
        0.1 kB
        Sean O'Callaghan

        Activity

        Hide
        Sean O'Callaghan
        added a comment -

        Files used when starting the broker.

        Show
        Sean O'Callaghan
        added a comment - Files used when starting the broker.
        Hide
        Dejan Bosanac
        added a comment -

        Hi Sean,

        can you try files attached in the dev2302.zip archive? They contain modified activemq-dev2402.xml to include adapted jetty.xml which secures console correctly (see http://fusesource.com/issues/browse/MB-666 for more details).

        I couldn't reproduce the error with these files and 5.3.1-00-01 broker.

        Show
        Dejan Bosanac
        added a comment - Hi Sean, can you try files attached in the dev2302.zip archive? They contain modified activemq-dev2402.xml to include adapted jetty.xml which secures console correctly (see http://fusesource.com/issues/browse/MB-666 for more details). I couldn't reproduce the error with these files and 5.3.1-00-01 broker.
        Hide
        Sean O'Callaghan
        added a comment -

        Hi Dejan,

        Thanks, I think my setup might not be correct can you send me on the credentials.properties and webconsole.properties that you use?
        I can logon to the console using the user and password I've defined in webconsole.properties:

        system:ev3rstr3am: amqAdmin,

        However when I try to create I get an exception and also when I hit purge the same:

        java.lang.UnsupportedOperationException: Possible CSRF attack occurs.

        Regards,

        Sean.

        Show
        Sean O'Callaghan
        added a comment - Hi Dejan, Thanks, I think my setup might not be correct can you send me on the credentials.properties and webconsole.properties that you use? I can logon to the console using the user and password I've defined in webconsole.properties: system:ev3rstr3am: amqAdmin, However when I try to create I get an exception and also when I hit purge the same: java.lang.UnsupportedOperationException: Possible CSRF attack occurs. Regards, Sean.
        Hide
        Dejan Bosanac
        added a comment -

        Hi Sean,

        I just tried it on a clean 5.3.1-01-00 install, with files from dev-2402.zip.

        I copied missing webconsole.properties manually and started a broker with

        bin/acitvemq xbean:conf/activemq-dev2402.xml

        and everything seems to work fine.

        Can you try it on a fresh install and describe step-by-step how do you reproduce it.

        Thanks,
        Dejan

        Show
        Dejan Bosanac
        added a comment - Hi Sean, I just tried it on a clean 5.3.1-01-00 install, with files from dev-2402.zip. I copied missing webconsole.properties manually and started a broker with bin/acitvemq xbean:conf/activemq-dev2402.xml and everything seems to work fine. Can you try it on a fresh install and describe step-by-step how do you reproduce it. Thanks, Dejan
        Hide
        Sean O'Callaghan
        added a comment -

        Hi Dejan,

        I have tried a fresh install of 5.3.1-01-00.

        Using the activemq-dev2402.xml file and copied in the webconsole.properties I get the exception below on starting the broker:

        INFO | Connector vm://localhost Stopped
        INFO | Connector vm://localhost Started
        WARN | Failed to add Connection
        java.lang.SecurityException: User name or password is invalid.
        at org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:52)
        at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
        at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:683)
        at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
        at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:303)
        at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
        at org.apache.activemq.transport.ResponseCorrelator.onCommand(ResponseCorrelator.java:116)
        at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
        at org.apache.activemq.transport.vm.VMTransport.iterate(VMTransport.java:219)
        at org.apache.activemq.thread.DedicatedTaskRunner.runTask(DedicatedTaskRunner.java:98)
        at org.apache.activemq.thread.DedicatedTaskRunner$1.run(DedicatedTaskRunner.java:36)

        Do you see this?

        Sean.

        Show
        Sean O'Callaghan
        added a comment - Hi Dejan, I have tried a fresh install of 5.3.1-01-00. Using the activemq-dev2402.xml file and copied in the webconsole.properties I get the exception below on starting the broker: INFO | Connector vm://localhost Stopped INFO | Connector vm://localhost Started WARN | Failed to add Connection java.lang.SecurityException: User name or password is invalid. at org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:52) at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89) at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:683) at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134) at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:303) at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181) at org.apache.activemq.transport.ResponseCorrelator.onCommand(ResponseCorrelator.java:116) at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68) at org.apache.activemq.transport.vm.VMTransport.iterate(VMTransport.java:219) at org.apache.activemq.thread.DedicatedTaskRunner.runTask(DedicatedTaskRunner.java:98) at org.apache.activemq.thread.DedicatedTaskRunner$1.run(DedicatedTaskRunner.java:36) Do you see this? Sean.
        Hide
        Dejan Bosanac
        added a comment -

        Hi Sean,

        strangely no. It's probably due to the security plugins configured in the file. Just for the sake of easier testing I created a new archive with everything included and broker security disabled) - mb670.zip.

        Can you try it out?

        Thanks,
        Dejan

        Show
        Dejan Bosanac
        added a comment - Hi Sean, strangely no. It's probably due to the security plugins configured in the file. Just for the sake of easier testing I created a new archive with everything included and broker security disabled) - mb670.zip. Can you try it out? Thanks, Dejan
        Hide
        Sean O'Callaghan
        added a comment -

        Hi Dejan,

        Using that config all seems to work okay.

        Thanks,

        Sean.

        Show
        Sean O'Callaghan
        added a comment - Hi Dejan, Using that config all seems to work okay. Thanks, Sean.

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            Sean O'Callaghan
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: