Apache mod_proxy: XsrfAccessTokenValidator failed

[Mo B]

Hello dear community,

I recently updated to version 2 and since then I always get "Session expired" when I try to update/save something via the UI. I even tried with a clean installation, same problem. My setup:

- I run SCM-Manager in a container via Docker Compose, local port 10002

- I run an Apache reverse proxy before it, configured as stated in the wiki:

  AllowEncodedSlashes NoDecode
  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
  RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
  ProxyPass / http://localhost:10002/ nocanon
  ProxyPassReverse / http://localhost:10002/
  <Location /scm>
      Order allow,deny
      Allow from all
  </Location>

- The reverse proxy acts as TLS endpoint listening on 443

- The called URLs are correctly set to https

I can access the page, I can login, I can talk to the repos via SSH. All fine. Except when I try to change something, like settings, adding a plugin, creating a new repo, etc. Always get a 401 response.

I enabled trace logging to see what is going on and, on the problematic actions, always get this:

  scm_manager_1  | 2020-12-22 10:09:20.064 [qtp120694604-17] [          ] TRACE sonia.scm.web.filter.AuthenticationFilter - generated web token class sonia.scm.security.BearerToken from generator class sonia.scm.web.CookieBearerWebTokenGenerator
  scm_manager_1  | 2020-12-22 10:09:20.064 [qtp120694604-17] [          ] TRACE sonia.scm.web.filter.AuthenticationFilter - found authentication token on request, start authentication
  scm_manager_1  | 2020-12-22 10:09:20.067 [qtp120694604-17] [          ] TRACE sonia.scm.web.filter.AuthenticationFilter - found basic authorization header, start authentication
  scm_manager_1  | 2020-12-22 10:09:20.067 [qtp120694604-17] [          ] DEBUG sonia.scm.security.ApiKeyRealm - Ignoring non base 64 token; this is probably a JWT token or a normal password
  scm_manager_1  | 2020-12-22 10:09:20.073 [qtp120694604-17] [          ] TRACE sonia.scm.store.JAXBConfigurationEntryStore - get item scmadmin from configuration store
  scm_manager_1  | 2020-12-22 10:09:20.081 [qtp120694604-17] [          ] DEBUG sonia.scm.security.JwtAccessTokenResolver - token AxSJtO3Ua2 is invalid, marked by validator class sonia.scm.security.XsrfAccessTokenValidator
  scm_manager_1  | 2020-12-22 10:09:20.106 [qtp120694604-17] [          ] TRACE sonia.scm.web.filter.AuthenticationFilter - handle token validation failed exception
  scm_manager_1  | 2020-12-22 10:09:20.108 [qtp120694604-17] [          ] TRACE sonia.scm.web.filter.AuthenticationFilter - send unauthorized, because of a failed token validation
  scm_manager_1  | 2020-12-22 10:09:20.112 [qtp120694604-17] [          ] TRACE sonia.scm.security.DefaultKeyGenerator - create new key 5GSJtOveCE
  scm_manager_1  | 2020-12-22 10:09:20.131 [qtp120694604-17] [5GSJtOveCE] TRACE sonia.scm.store.JAXBConfigurationEntryStore - get item scmadmin from configuration store
  scm_manager_1  | 2020-12-22 10:09:20.132 [qtp120694604-17] [5GSJtOveCE] DEBUG sonia.scm.security.JwtAccessTokenResolver - token AxSJtO3Ua2 is invalid, marked by validator class sonia.scm.security.XsrfAccessTokenValidator
  scm_manager_1  | 2020-12-22 10:09:20.132 [qtp120694604-17] [5GSJtOveCE] TRACE sonia.scm.web.security.TokenRefreshFilter - could not resolve token
  scm_manager_1  | sonia.scm.security.TokenValidationFailedException: Token validator class sonia.scm.security.XsrfAccessTokenValidator failed for access token AxSJtO3Ua2
  scm_manager_1  |     at sonia.scm.security.JwtAccessTokenResolver.validate(JwtAccessTokenResolver.java:92)
  ... STRACKTRACE ...
  scm_manager_1  | 2020-12-22 10:09:20.136 [qtp120694604-17] [5GSJtOveCE] DEBUG sonia.scm.security.SecurityRequestFilter - blocked unauthenticated request to method public javax.ws.rs.core.Response sonia.scm.api.v2.resources.ConfigResource.update(sonia.scm.api.v2.resources.ConfigDto)

I am at a loss here and probably missing something ovvious.

I've looked through the docs time and again, but I can't seem to find any more things I need to set up except the reverse proxy config...

Any help would be appreciated!

Regards,

Maurice

[Sebastian Sdorra]

Hi Maurice,
It looks like SCM-Manager created a JWT with an xsrf protection key, but fails to extract it from the JWT.

You could disable the xsrf protection, which should fix the problem (Administration->Settings->Enabled XSRF Protection), but it would be really great if we could find the root cause of the problem before.

Which browser do you use? Did you see an X-XSRF-Token header on POST or PUT methods? Could you check the settings (Path, Secure, HttpOnly) of the issues X-Bearer-Token?

Sebastian

--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/366153f0-e391-4b2d-a1cf-256759fec97fn%40googlegroups.com.

[Mo B]

Hi Sebastian,

thanks a lot for the really quick reply. And as I thought, I did miss something!

Thanks to your suggestions I remembered my server sets some security settings by default - including "HttpOnly" for cookies.

Turns out: This is exactly the culprit here. Once I set a directive to remove the HttpOnly for SCM-Manager it started behaving just fine :)

Maybe add this to the FAQ or installation documentation?

Again, thanks for the help. Keep up the amazing product :)

Kind regards,

Maurice

[Sebastian Sdorra]

We will add a note about the HttpOnly cookies to the reverse proxy documentation.

Sebastian

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/033f415c-7d48-4ced-b367-2706c11f1da3n%40googlegroups.com.