Chrome Issue

6 views
Skip to first unread message

wilca014

unread,
Oct 14, 2019, 1:19:32 AM10/14/19
to uPortal Community
Hi,

I have this weird issue only with chrome that certain calls are return 403 errors.

Chrome Failed.
10.76.192.11 - - [14/Oct/2019:15:14:57 +1100] "POST /uPortal/p/cache-manager.ctf3/max/action.uP?_csrf=c01b7c1d-cff3-4acd-84d7-155c980765a7&pP_execution=e1s6 HTTP/1.0" 403 - "https://devportal.vu.edu.au/uPortal/p/cache-manager.ctf3/max/render.uP?pP_execution=e1s1&pP__eventId=flush-all" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"

Firefox worked.
10.76.192.11 - - [14/Oct/2019:15:15:44 +1100] "POST /uPortal/p/cache-manager.ctf3/max/action.uP?_csrf=e84f4782-76f3-45ac-8fb0-df98c3e7e0bf&pP_execution=e1s10 HTTP/1.0" 302 - "https://devportal.vu.edu.au/uPortal/p/cache-manager.ctf3/max/render.uP?pP_execution=e1s9&pP__eventId=flush-all" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"

Has anyone seen this before.

Regards,
Colin

wilca014

unread,
Oct 14, 2019, 2:25:44 AM10/14/19
to uPortal Community
Hi Guys,

For some unknown reason its tripping the invalid CORS request.

DEBUG [ajp-nio2-8009-exec-5] o.a.p.security.filter.CorsFilter 2019-10-14 17:22:51,103 - Request origin: https://devportal.vu.edu.au
DEBUG [ajp-nio2-8009-exec-5] o.a.p.security.filter.CorsFilter 2019-10-14 17:22:51,103 - Request method: POST
DEBUG [ajp-nio2-8009-exec-5] o.a.p.security.filter.CorsFilter 2019-10-14 17:22:51,103 - Invalid CORS request; Origin=https://devportal.vu.edu.au;Method=POST

wilca014

unread,
Oct 14, 2019, 3:27:06 AM10/14/19
to uPortal Community
Hi,

found the issue and by the looks you have configuration issue that is only effect chrome.

In the CorsFilter class you have the following setting allowed origins to *

public static final String DEFAULT_ALLOWED_ORIGINS = "*";

But in the "securityContext.xml" you are resetting the default as empty string rather the * as it is in the code.

<!-- allowedOrigins should include protocol. For example, "https://idp.myschool.edu, https://cas.myschool.edu" -->
<property name="allowedOrigins" value="${cors.allowed.origins:}" />
<property name="allowedHttpMethods" value="${cors.allowed.methods:GET,HEAD}" />
<property name="allowedHttpHeaders" value="${cors.allowed.headers:Origin,Accept,Authorization,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers}" />
<property name="exposedHeaders" value="${cors.exposed.headers:}" />
<property name="supportsCredentials" value="${cors.support.credentials:true}" />
<property name="preflightMaxAge" value="${cors.preflight.maxage:1800}" />
<property name="decorateRequest" value="${cors.request.decorate:true}" />
</bean>

By the looks you guys have mismatch in the configuration, for some unknown reason it is only affect chrome.

Regards,
Colin




<bean id="corsFilter" class="org.apereo.portal.security.filter.CorsFilter">

On Monday, 14 October 2019 16:19:32 UTC+11, wilca014 wrote:
Reply all
Reply to author
Forward
0 new messages