CSRF / "Unhandled exception or error intercepted" / "Invalid submit value" after updating to 1.5.4.

[Gabriele]

After upgrading to 1.5.4, many users are no longer able to use XNAT without deleting all cookies and removing cache from each browser that had previously accessed XNAT at versions 1.5.2 or 1.5.3, even if accessing XNAT for the first time more than 1 week after the update. They have to do this for each instance of XNAT they use for each browser on each computer (i.e., all permutations of Chrome, Netscape, IE, Safari times each XNAT they use times each computer).

We have more than 100 user accounts who have yet to access one or more of their accounts after the update and three more XNAT instances to update (affecting dozens of accounts again).

It would be wonderful if we could fix this on the XNAT end. Perhaps with a page that clears the cookies and cache for them? Not sure why clearing the cache is needed as well, however it may be because they are forced to log in, and therefore reloading does not reload the offending page but the log-in page which consequently means that the offending page still has the "invalid submit value". Only happens on pages that do not use the REST API (e.g., Archiving) but it kicks them out as soon as they submit changes.

The email that is sent to administrators is:

HOST: https://cbscentral.rc.fas.harvard.edu/

TIME: Sun Jul 15 13:02:56 EDT 2012

MESSAGE: POST on URL: http://cbscentral.rc.fas.harvard.edu/REST/services/archive from 10.242.38.132 (59372) user: 10.242.38.132

Headers:

host: cbscentral.rc.fas.harvard.edu

user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120424 Firefox/10.0.4

accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language: en-us,en;q=0.5

accept-encoding: gzip, deflate

connection: keep-alive

referer: http://cbscentral.rc.fas.harvard.edu/app/action/LoadImageData/project/Sheridan/timestamp/20120630_161931302/folder/120630_ADHD_1047/popup/false/purpose/insert

cookie: JSESSIONID=06CEC07EE0FF083A6B66D3DBC3A87FA5

content-type: application/x-www-form-urlencoded

content-length: 9738

 Cookies:

JSESSIONID 06CEC07EE0FF083A6B66D3DBC3A87FA5 -1 null

The error in the application.log is:

2012-07-15 13:00:07,300 ["http-apr-80"-exec-1] ERROR org.restlet.XNATVirtualHost.XNATApplication - Unhandled exception or error intercepted

java.lang.RuntimeException: java.lang.Exception: Invalid submit value (POST on URL: http://cbscentral.rc.fas.harvard.edu/REST/services/prearchive/move from 10.242.38.132 (58001) user: 10.242.38.132

Headers:

host: cbscentral.rc.fas.harvard.edu

user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120424 Firefox/10.0.4

accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language: en-us,en;q=0.5

accept-encoding: gzip, deflate

connection: keep-alive

content-type: application/x-www-form-urlencoded; charset=UTF-8

pragma: no-cache, no-cache

cache-control: no-cache, no-cache

referer: http://cbscentral.rc.fas.harvard.edu/app/template/XDATScreen_prearchives.vm

content-length: 140

cookie: JSESSIONID=06CEC07EE0FF083A6B66D3DBC3A87FA5

 Cookies:

JSESSIONID 06CEC07EE0FF083A6B66D3DBC3A87FA5 -1 null

)

        at org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.java:91)

        at org.nrg.xnat.restlet.guard.XnatSecureGuard.beforeHandle(XnatSecureGuard.java:42)

        at org.restlet.Filter.handle(Filter.java:193)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at com.noelios.restlet.StatusFilter.doHandle(StatusFilter.java:130)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124)

        at com.noelios.restlet.application.ApplicationHelper.handle(ApplicationHelper.java:112)

        at org.restlet.Application.handle(Application.java:341)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Router.handle(Router.java:504)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Router.handle(Router.java:504)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at com.noelios.restlet.StatusFilter.doHandle(StatusFilter.java:130)

        at org.restlet.Filter.handle(Filter.java:195)

        at org.restlet.Filter.doHandle(Filter.java:150)

        at org.restlet.Filter.handle(Filter.java:195)

        at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124)

        at org.restlet.Component.handle(Component.java:673)

        at org.restlet.Server.handle(Server.java:331)

        at com.noelios.restlet.ServerHelper.handle(ServerHelper.java:68)

        at com.noelios.restlet.http.HttpServerHelper.handle(HttpServerHelper.java:147)

        at com.noelios.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:881)

        at org.nrg.xnat.restlet.servlet.XNATRestletServlet.service(XNATRestletServlet.java:99)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)

        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)

        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)

        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:381)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)

        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:306)

        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:323)

        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1719)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

        at java.lang.Thread.run(Thread.java:662)

Caused by: java.lang.Exception: Invalid submit value (POST on URL: http://cbscentral.rc.fas.harvard.edu/REST/services/prearchive/move from 10.242.38.132 (58001) user: 10.242.38.132

Headers:

host: cbscentral.rc.fas.harvard.edu

user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120424 Firefox/10.0.4

accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language: en-us,en;q=0.5

accept-encoding: gzip, deflate

connection: keep-alive

content-type: application/x-www-form-urlencoded; charset=UTF-8

pragma: no-cache, no-cache

cache-control: no-cache, no-cache

referer: http://cbscentral.rc.fas.harvard.edu/app/template/XDATScreen_prearchives.vm

content-length: 140

cookie: JSESSIONID=06CEC07EE0FF083A6B66D3DBC3A87FA5

 Cookies:

JSESSIONID 06CEC07EE0FF083A6B66D3DBC3A87FA5 -1 null

)

        at org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureAction.java:188)

        at org.nrg.xdat.turbine.modules.actions.SecureAction.isCsrfTokenOk(SecureAction.java:152)

        at org.nrg.xnat.restlet.guard.XnatSecureGuard.authenticate(XnatSecureGuard.java:89)

        ... 55 more

[Herrick, Rick]

Thanks for the info, Gabriele, we’ll have a look at it today. We’ll see if we can provide a fix as a patch, but it would depend on how invasive that code might need to be. We’ll let you know one way or another!

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msg/xnat_discussion/-/eGRHdVZOCRgJ.
To post to this group, send email to xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to xnat_discussi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/xnat_discussion?hl=en.

---

The material in this message is private and may contain Protected Healthcare Information (PHI). If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

[Jordan Woerndle]

Sorry this is giving you so much grief, Gabriele. Browsers are pretty zealous about caching javascript and css and I suspect that's exactly the problem we're seeing here.

I wrote a simple servlet filter (source provided) that sets the Cache-Control header to "max-age=0, private, must-revalidate" Hopefully, this will band-aid the problem until all your users have had the chance to hit the site. At that point, take it out.

To use this filter, drop the noCacheFilter.jar file into your <tomcathome>/webapps/xnat/lib/ folder.  Then add the following code to web.xml just before the "Redirect the home page of the application to the turbine servlet" comment:

  <filter>

     <filter-name>SetCacheControl</filter-name>

     <filter-class>org.nrg.xnat.filters.CacheControl</filter-class>

  </filter>                       

  <filter-mapping>

     <filter-name>SetCacheControl</filter-name>

      <url-pattern>/*</url-pattern>

  </filter-mapping>  

Feel free to tune the url-pattern if, for example, you only want to match on *.js files.

Of course, this has not been very well tested. Please try it in a test environment to see if it helps, first.  If not, we might change the filter to only run on the resources associated with Archiving, doing a  301 redirect and adding a timestamp to the querystring. That is more intrusive, so I'm hoping this simple solution does the trick.

Thank you so much, feel free to contact me directly if you need. my cell is 314-374-5174.

Jordan

[Jordan Woerndle]

Gabriele,

I updated the filter to cover even more cases. Please use this jar instead of the one attached to my last message. again, source is attached as well.

Thank you,

Jordan