v1.5.4 issue - Possible CSRF Attempt
96 views
Skip to first unread message
Jordi Huguet
Apr 12, 2012, 9:05:43 AM4/12/12
to xnat_di...@googlegroups.com
Hi there,
I also had a look at the logs and found out the following (application.log):
I'm in the (always risky) process of updating XNAT to last new version (from v1.5.3). I currently have my XNAT platform running under WinOS.
I've followed the update process steps in order to use my old Database in conjunction with the new release but when I run XNAT again on Tomcat I have problems listing experiments/subjects/projects using the web frontend (using REST calls I'm able to list data, meaning it might not be a problem related with database connectivity). I use Chrome browser. Did anyone else noticed this issue?
Every time I try to list data using the webbrowser, I receive an email with "Possible CSRF Attempt" subject with several information about the problem environment but without giving me a clue of what may be wrong. Specifically, the following actions fail: http://mySite:8080/xnat/app/template/Search.vm/node/d.[experimentType]
I also had a look at the logs and found out the following (application.log):
2012-04-12 12:44:22,670 ["http-apr-8080"-exec-1] ERROR org.restlet.XNATVirtualHost.XNATApplication - Unhandled exception or error intercepted
java.lang.RuntimeException: java.lang.Exception: Invalid submit value (POST on URL: http://mySite:8080/xnat/REST/search
...
at org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.java:91)
at org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.java:91)
at org.nrg.xnat.restlet.guard.XnatSecureGuard.beforeHandle(XnatSecureGuard.java:42)
at org.restlet.Filter.handle(Filter.java:193)
...
Caused by: java.lang.Exception: Invalid submit value (POST on URL: http://mySite:8080/xnat/REST/search
...
at org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureAction.java:188)
at org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureAction.java:152)
at org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.java:89)
... 49 more
Edit: I have tried with other browsers (Firefox, IExplorer) and worked properly. Seems to affect only Chrome.
cheers,
Jordi
Jordan Woerndle
Apr 12, 2012, 10:17:54 AM4/12/12
to xnat_di...@googlegroups.com
Hi Jordi,
I added the CSRF features so I will try to replicate this on a fresh instance today and let you know what I find.
Thank you!
Jordan
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To post to this group, send email to xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to xnat_discussi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/xnat_discussion?hl=en.
Jordan Woerndle
Apr 12, 2012, 2:48:16 PM4/12/12
to xnat_di...@googlegroups.com
I was able to replicate the problem on a fresh instance of xnat 1.5.4 using both chrome and firefox. I could not find the problem, but when I came back from lunch, it was magically fixed.
Thanks,
I hate to say this, but it could be a caching issue on browser side rest calls or the dynamic javascript loader.
Has anyone seen anything like this before?
Thanks,
Jordan
dave J
Apr 26, 2012, 3:55:05 PM4/26/12
to xnat_discussion
I'm now encountering this after upgrading from 1.5.3 to 1.5.4 None of
the Listings (subject, mr sessions) are working. I've got the
spinning circle of infinity with no results.
I've tried clearing my cookies on firefox and loading the app using a
private browsing session of chrome. both result in the spinning
status with no results.
My test upgrade worked on my dev box, but production results in
this.
Thanks. Dave.
application.log is empty. xdat.log has nothing of consequence,
Catalina.log is full of examples of this:
SEVERE: A web application created a ThreadLocal with key of type
[java.lang.ThreadLocal] (value [java.lang.ThreadLocal@4c4f1af2]) and a
value of type [com.noelios.restlet.component.ChildContext] (value
[com.noelios.restlet.component.ChildContext@25208518]) but failed to
remove it when the web application was stopped. To prevent a memory
leak, the ThreadLocal has been forcibly removed.
Apr 26, 2012 2:50:31 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[java.lang.ThreadLocal] (value [java.lang.ThreadLocal@72e8cc94]) and a
value of type [com.noelios.restlet.http.HttpResponse] (value
[com.noelios.restlet.http.HttpResponse@387f9d70]) but failed to remove
it when the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
log4j:ERROR LogMananger.repositorySelector was null likely due to
error in class reloading, using NOPLoggerRepository.
Apr 26, 2012 2:50:31 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Apr 26, 2012 2:50:31 PM
org.apache.catalina.mbeans.ServerLifecycleListener lifecycleEvent
SEVERE: destroyMBeans: Throwable
javax.management.MalformedObjectNameException: Cannot create object
name for org.apache.catalina.connector.Connector@11c2e5bb
at
org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.java:
764)
at org.apache.catalina.mbeans.MBeanUtils.destroyMBean(MBeanUtils.java:
1416)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
678)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
1005)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
971)
at
org.apache.catalina.mbeans.ServerLifecycleListener.lifecycleEvent(ServerLifecycleListener.java:
154)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:
119)
at org.apache.catalina.core.StandardServer.stop(StandardServer.java:
748)
at org.apache.catalina.startup.Catalina.stop(Catalina.java:643)
at org.apache.catalina.startup.Catalina.start(Catalina.java:618)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
On Apr 12, 1:48 pm, Jordan Woerndle <jorda...@gmail.com> wrote:
> I was able to replicate the problem on a fresh instance of xnat 1.5.4 using
> both chrome and firefox. I could not find the problem, but when I came back
> from lunch, it was magically fixed.
>
> I hate to say this, but it could be a caching issue on browser side rest
> calls or the dynamic javascript loader.
>
> Has anyone seen anything like this before?
>
> Thanks,
> Jordan
>
>
>
>
>
>
>
> On Thu, Apr 12, 2012 at 9:17 AM, Jordan Woerndle <jorda...@gmail.com> wrote:
> > Hi Jordi,
>
> > I added the CSRF features so I will try to replicate this on a fresh
> > instance today and let you know what I find.
>
> > Thank you!
> > Jordan
>
> >> org.nrg.xnat.restlet.guard.XnatSecureGuard.beforeHandle(XnatSecureGuard.jav a:42)
the Listings (subject, mr sessions) are working. I've got the
spinning circle of infinity with no results.
I've tried clearing my cookies on firefox and loading the app using a
private browsing session of chrome. both result in the spinning
status with no results.
My test upgrade worked on my dev box, but production results in
this.
Thanks. Dave.
application.log is empty. xdat.log has nothing of consequence,
Catalina.log is full of examples of this:
SEVERE: A web application created a ThreadLocal with key of type
[java.lang.ThreadLocal] (value [java.lang.ThreadLocal@4c4f1af2]) and a
value of type [com.noelios.restlet.component.ChildContext] (value
[com.noelios.restlet.component.ChildContext@25208518]) but failed to
remove it when the web application was stopped. To prevent a memory
leak, the ThreadLocal has been forcibly removed.
Apr 26, 2012 2:50:31 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[java.lang.ThreadLocal] (value [java.lang.ThreadLocal@72e8cc94]) and a
value of type [com.noelios.restlet.http.HttpResponse] (value
[com.noelios.restlet.http.HttpResponse@387f9d70]) but failed to remove
it when the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
log4j:ERROR LogMananger.repositorySelector was null likely due to
error in class reloading, using NOPLoggerRepository.
Apr 26, 2012 2:50:31 PM org.apache.coyote.http11.Http11Protocol
destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Apr 26, 2012 2:50:31 PM
org.apache.catalina.mbeans.ServerLifecycleListener lifecycleEvent
SEVERE: destroyMBeans: Throwable
javax.management.MalformedObjectNameException: Cannot create object
name for org.apache.catalina.connector.Connector@11c2e5bb
at
org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.java:
764)
at org.apache.catalina.mbeans.MBeanUtils.destroyMBean(MBeanUtils.java:
1416)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
678)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
1005)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(ServerLifecycleListener.java:
971)
at
org.apache.catalina.mbeans.ServerLifecycleListener.lifecycleEvent(ServerLifecycleListener.java:
154)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:
119)
at org.apache.catalina.core.StandardServer.stop(StandardServer.java:
748)
at org.apache.catalina.startup.Catalina.stop(Catalina.java:643)
at org.apache.catalina.startup.Catalina.start(Catalina.java:618)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
On Apr 12, 1:48 pm, Jordan Woerndle <jorda...@gmail.com> wrote:
> I was able to replicate the problem on a fresh instance of xnat 1.5.4 using
> both chrome and firefox. I could not find the problem, but when I came back
> from lunch, it was magically fixed.
>
> I hate to say this, but it could be a caching issue on browser side rest
> calls or the dynamic javascript loader.
>
> Has anyone seen anything like this before?
>
> Thanks,
> Jordan
>
>
>
>
>
>
>
> On Thu, Apr 12, 2012 at 9:17 AM, Jordan Woerndle <jorda...@gmail.com> wrote:
> > Hi Jordi,
>
> > I added the CSRF features so I will try to replicate this on a fresh
> > instance today and let you know what I find.
>
> > Thank you!
> > Jordan
>
> >> at org.restlet.Filter.handle(Filter.java:193)
> >> ...
>
> >> Caused by: java.lang.Exception: Invalid submit value (POST on URL:
> >>http://mySite:8080/xnat/REST/search
> >> ...
> >> at
> >> org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureActio n.java:188)
> >> at
> >> org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureActio n.java:152)
> >> at
> >> org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.jav a:89)
> >> ...
>
> >> Caused by: java.lang.Exception: Invalid submit value (POST on URL:
> >>http://mySite:8080/xnat/REST/search
> >> ...
> >> at
> >> org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureActio n.java:188)
> >> at
> >> org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureActio n.java:152)
> >> at
Herrick, Rick
Apr 26, 2012, 4:14:54 PM4/26/12
to xnat_di...@googlegroups.com
Hey Dave,
Are you sure nothing's changed in your Tomcat configuration? That Connector class is a core Tomcat implementation class, and the indication seems to be Tomcat can't create one of the defined connectors. These are set up in the conf/server.xml configuration file. This also seems to map to a bug in (at least) Tomcat 6.0.24:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48612
Unless something really wonky went on, there's no way the migration from 1.5.3 to 1.5.4 should affect this jmx functionality at all.
________________________________
The material in this message is private and may contain Protected Healthcare Information (PHI). If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Are you sure nothing's changed in your Tomcat configuration? That Connector class is a core Tomcat implementation class, and the indication seems to be Tomcat can't create one of the defined connectors. These are set up in the conf/server.xml configuration file. This also seems to map to a bug in (at least) Tomcat 6.0.24:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48612
Unless something really wonky went on, there's no way the migration from 1.5.3 to 1.5.4 should affect this jmx functionality at all.
The material in this message is private and may contain Protected Healthcare Information (PHI). If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
David Just
Apr 26, 2012, 4:18:53 PM4/26/12
to XNAT_DISCUSSION
Nope, no tomcat changes.
I did however fix my query results issue by wiping out my tomcat xnat app
and doing a full setup.sh instead of upgrade.sh
I did however fix my query results issue by wiping out my tomcat xnat app
and doing a full setup.sh instead of upgrade.sh
Herrick, Rick
Apr 26, 2012, 4:20:06 PM4/26/12
to xnat_di...@googlegroups.com
Does that mean you're now working properly or are you still seeing issues with anything?
Reply all
Reply to author
Forward
0 new messages